“Invalid Packet Capture Length” Aircrack-NG – Quick Fix.
Sometimes when running Airodump-NG I have noticed that a CTRL+C SIGINT call will make a packet that is extremely long in size! In fact, the broken packet is so long that Aircrack-NG will not run on the PCAP file. How do we fix it? Well, we could remove the bad packet, but this way will trim down the pcap file size, if it took you long to retrieve the WPA/WPA2 EAPOL handshake.
If you don’t know what any of this means, then shame on you! Go get cracking! And I don’t mean just the passwords! Get the books too! CWSP by CWNP, and 802.11 Wireless Networks by O’Reilly.
Open the bad PCAP file in Wireshark. Sometimes you could use Pyrit to clean up the Handshake PCAP file, but that also sometimes makes it incompatible with Aircrack-NG. Here’s why. (from Aircrack-NG documentation):
“Aircrack-ng also requires a valid beacon. Ensure this beacon is part of the same packet sequence numbers. For example, if the beacon packet sequence number is higher then the EAPOL packet sequence numbers from the AP, the handshake will be ignored.”
Also, another beautiful thing about Aircrack-NG (from Aircrack-NG documentation):
“For WPA handshakes, a full handshake is composed of four packets. However, aircrack-ng is able to work successfully with just 2 packets. EAPOL packets (2 and 3) or packets (3 and 4) are considered a full handshake.”
To fix the error, you can use the quick tshark method like so:
tshark -r < input file name > -R "eapol || wlan.fc.type_subtype == 0x08" -w < output file name >
Or you can use Wireshark and filter out the Beacon packets, which are management packets, which are type 1, class 1. And subtype 8, or in Wireshark’s hexadecimal notation: 0×08.
This is, of course, if your EAPOL and Beacons are not corrupted. Here is an amazing article on WPA packet capture explained. You can learn far more from the aforementioned books, but for now…. READ THIS!
~Douglas.