Kushal Srinivas
← Back to writing

ESP32 Handshake Capture — A WiFi Security Education Tool

Creator · 2025Visit project →
C++ESP32ArduinoILI9341802.11

I wanted to understand WiFi security at the protocol level — not from textbooks, but by watching it happen in real time. So I built a passive handshake capture tool that runs on an ESP32 with a TFT display.

The device monitors WiFi traffic, tracks access points, detects EAPOL authentication frames, and visualises the WPA/WPA2 4-way handshake as it happens. It’s a portable, standalone security education tool.

How it works

  • Promiscuous mode — the ESP32’s WiFi radio is set to capture all packets on the air, not just ones addressed to it. This lets us see the entire authentication exchange.
  • Channel hopping — cycles through channels 1–13 every 250ms to cover the full 2.4GHz spectrum. Finds APs regardless of which channel they operate on.
  • EAPOL detection — identifies 802.1X authentication frames by their EtherType (0x888E). Parses the Key Info field to determine which of the 4 handshake messages it is.
  • Real-time display — four rotating modes on the ILI9341 TFT: live AP tracking, captured handshakes, security analysis, and statistics. Matrix-style boot animation because why not.
  • Security analysis — assesses handshake quality based on signal strength, tracks encryption type distribution, and calculates capture success rates.

The 4-way handshake

WPA/WPA2 authentication uses a 4-message exchange between the access point and client. Message 1 carries the ANonce from the AP. Message 2 sends the SNonce and MIC from the client. Message 3 delivers the GTK and another MIC. Message 4 is the final acknowledgement. All four are needed for a complete capture.

The tool parses the Key Information field bit-by-bit to classify each frame: ACK bit set without MIC means Message 1. MIC without ACK means Message 2. ACK + Install + MIC together means Message 3. And MIC + Pairwise without ACK means Message 4.

Hardware

ESP32-WROOM-32 running Arduino with an ILI9341 2.4” TFT (320×240). Software SPI — GPIO 23 (MOSI), 18 (SCK), 5 (CS), 21 (DC), 4 (RST). Total BOM is under $15. The whole thing fits in a pocket.

What I learned

Working at the radio level changes how you think about WiFi. Every device around you is constantly broadcasting — probe requests, beacon frames, association requests. The air is loud. Understanding the protocol at this depth makes you better at securing it.

ESP32’s promiscuous mode callback runs in IRAM — you have microseconds to process each frame before the next arrives. Memory management is critical: 20 APs times 10 clients times frame state equals real constraints on a microcontroller with kilobytes of RAM.

← Back to all entries