WiFi Password Recoverywifipassword.org
Windows Guide

How to Capture a WPA Handshake on Windows

TL;DR — Capturing a WPA handshake on Windows requires a WiFi adapter that supports monitor mode and packet injection. This guide walks through the complete process: adapter selection, driver installation, monitor mode setup, and handshake capture using both GUI tools and WSL with aircrack-ng.

What you need: compatible WiFi adapter

Most built-in laptop WiFi adapters (Intel, Realtek, Qualcomm) do NOT support monitor mode or packet injection on Windows. You need a USB WiFi adapter with a chipset that supports these features. The most compatible chipsets are: Ralink RT3070/RT5370, Realtek RTL8187L, Atheros AR9271, and MediaTek MT7612U.

Popular adapter models: Alfa AWUS036ACH (MT7612U), Alfa AWUS036NHA (AR9271), TP-Link TL-WN722N v1 (AR9271), Panda PAU09 (RT5572). Avoid v2/v3 of TL-WN722N — they use Realtek chipsets with limited monitor mode support.

  • Required: USB WiFi adapter with monitor mode support
  • Recommended chipsets: MT7612U, AR9271, RT3070, RTL8187L
  • Avoid: Intel, Broadcom, most built-in laptop WiFi chips

Method 1: Windows GUI with CommView for WiFi

CommView for WiFi by TamoSoft is a commercial Windows WiFi analyzer that supports monitor mode with compatible adapters. It provides a graphical interface for channel scanning, packet capture, and handshake detection. While not free ($199 for a license), the 30-day trial is sufficient for a one-time capture.

Install CommView and your adapter drivers. Start a capture on the target channel. Filter for EAPOL packets. When a client connects to the network, you will see the 4-way handshake packets. Export the capture as .cap for later conversion to .hc22000 format.

Method 2: WSL with aircrack-ng (free)

Windows Subsystem for Linux (WSL2) can run aircrack-ng if you pass through the USB WiFi adapter. This gives you the full Linux wireless toolchain on Windows. Install WSL2, attach your USB adapter via usbipd, install aircrack-ng inside WSL, and follow the standard Linux capture workflow.

From WSL: sudo airmon-ng start wlan0, sudo airodump-ng wlan0mon -c <channel> --bssid <BSSID> -w capture, wait for a client to connect (or deauth one with aireplay-ng -0 5 -a <BSSID> -c <client> wlan0mon). The .cap file is your captured handshake.

Converting the capture to .hc22000

Once you have the .cap file with a valid handshake, convert it to Hashcat mode 22000 format using hcxpcapngtool: hcxpcapngtool -o output.hc22000 capture.cap. Optionally add the networks ESSID if not already included: -E essidlist. The .hc22000 file can be uploaded to a WiFi password recovery service or attacked locally with hashcat.

Frequently Asked Questions

Can I capture a handshake without a special adapter?
Almost always no. Standard built-in WiFi adapters don't support monitor mode. You need a USB adapter with a compatible chipset (MT7612U, AR9271, RT3070, RTL8187L). Alfa Network adapters are the most reliable choice.
How long does a handshake capture take?
Seconds to minutes if a client is already connected and you force a deauthentication. Without an active client, you must wait for a new connection — this could take minutes to hours.
Is packet capture legal?
Capturing packets on networks you own or have explicit authorization for is legal. Capturing packets on third-party networks without permission violates wiretapping laws (CFAA in US, Computer Misuse Act in UK). Always capture on your own network or with written authorization.
What if no client connects to the network?
WiFi recovery from a handshake requires the network to have at least one active client during capture. If the network has zero clients, a handshake cannot be captured. Alternative: access router admin from wired connection.

Related references

m22000Modern unified format

Have a handshake to recover?

Upload your .hc22000 (or .pcap/.cap/.hccapx and we'll convert) for a free analysis. Pay only if recovery succeeds.

Run a free WPA analysis