I am trying to capture completed handshake frames in an WPA2 EAPOL authentication. The source can be a pcap file or live capture. My idea is to
- identify message type of EAPOL (message 1, 2, 3 & 4)
- compare Key Nonce (should be similar for message 1&3 , 2&4)
- verify source and destination for all 4 messages. if these conditions satisfy for the 4 sets of EAPOL frame then it is a complete handshake. (check timestamps in case of duplicate frames)
But I have observed that in a complete handshake, many times the message# 4 carries a Nonce of zero value instead of Nonce of message# 2.
What other fields should be considered while determining a complete handshake then?
