I'm still a bit on shaky ground when it comes to understanding the ins and outs of WPA vs WPA2-PSK handshakes. I think (but I'm not sure) that a lot of my confusion is caused by subtle differences in the way that differing sources use terminology. For example, earlier I was of the understanding that the the correct terms for the two security protocols were "WPA" and "WPA2-PSK", and I thought that I had it down correct that a WPA2-PSK network would have its authentication goods transmitted over the airwaves in the form of an ecrypted key, whereas a WPA network would have it's authentication goods transmitted over the airwaves in the form of a plain text PIN number.
However, I happened across a www page earlier that listed the two network security protocols as WPA-PSK and WPA2-PSK.

It does get frustrating at first, when the you think you have something down, then spot one or two takes on it that more or less shatter what you thought you knew. Then you backtrack a little bit, trying to salvage what you can of what you've already been basing some of your assumptions on... Then you move ahead a little bit more, gaining a small amount of knowledge and experience until the next time that s**t seems to hit the fan... And the cycle repeats, etc., etc., etc., ...

This post is mainly during one of those "backtracking" phases, where I previously thought that I had a decent working perception of some things, but have recently started to notice that certain parts of that understanding are breaking down and not holding water as much as they previously used to. The thing is that I am unable to identify and/or explain exactly *** is going on. I only know that something is wrong somewhere, but cannot tell exactly where it is messed up.

===

This post is also about me trying to hone in on what I should be looking for when examining a data capture with Wireshark. Basically, I have a capture of what I'm almost certain is a valid handshake (the four handshake packets passed all of the scrutiny that I could give them, and I was also watching Wireshark do its thing when I re-authenticated with the router and then seen it catch the four EAPOL packets as I re-authenticated).
I'll be using the six images listed below as reference quite a bit. The image names, their descriptions, and the imagur links to them are:
1) my_handshake.png; A screenshot of a Wireshark capture. The 4 EAPOL packets that make up the capture are in the middle of the pic (#'s 167,168,169,&170).
http://imgur.com/a/0RmjL
2) mh_pckt1.png; A screenshot of "Key (Message 1 of 4)".
http://imgur.com/a/0RmjL
3) mh_pckt2.png; A screenshot of "Key (Message 2 of 4)".
http://imgur.com/a/0RmjL
4) mh_pckt3.png; A screenshot of "Key (Message 3 of 4)".
http://imgur.com/a/0RmjL
5) mh_pckt4.png; A screenshot of "Key (Message 4 of 4)".
http://imgur.com/a/0RmjL
6) 4-way-handshake_WPA2.png; This is a pic of a WPA2 4-way handshake (I use it as desktop wallpaper because it helps me to memorize the pic better).
http://imgur.com/a/0RmjL

Also for reference is an article from http://www.kalitutorials.net/2014/06...handshake.html titled "Hack WPA/WPA2 PSK Capturing the Handshake". When I'm learning something from online, I'll try to use about 3-4 sources. That way, if there's any confusion about something then I can look at the other sources to see how they put it. Sometimes it helps to clear up some confusion, but mostly it just lets me know if my take on things is right or wrong.

This particular handshake is of me authenticating with a netgear router over a WLAN network named "NETGEAR-Guest". Its security is WPA2.

To begin with, after getting a capture and going through it to see if there might be a valid handshake in it, I spot the four packets with a "No." of 167, 168, 169, & 170 (see the screenshot "my_handshake.png"). Those four packets look like they could very well be a valid handshake because: 1)The packets are all of the EAPOL "Protocol"; 2)All four messages appear to have been successfully captured, as the "Info" field's values for those packets is "Key (Message 1 of 4)", "Key (Message 2 of 4)", "Key (Message 3 of 4)", and "Key (Message 4 of 4)"; 3)Lastly, what I notice about that screenshot is that the "Source" field for those packets appears as if communication has taken place between only two parties (between 86:1b:5e:42:b3:27 and IntelCor_e0:85:dd). Aside from the fact that the "Destination" field is empty for those four packets (I don't know why I never wondered too much about it before), all seems to be in good shape so far.
So, after looking through the Wireshark capture and deciding that if there's a valid handshake in it, that it'll probably be those four packets, I look deeper into the first one (see "mh_pckt1.png") by highlighting packet #167 and then expanding the entries for "802.1x Authentication" and "WPA Key Data:". The replay counter is 0 for this first one. "It'll be great if the 2nd packet's replay counter is also 0, and then packets #3 and #4 both have a replay counter that's 1", I think to myself. Looking at it also with the diagram in "4-way-handshake_WPA2.png" in mind (I'm memorizing that particular diagram to get the handshake process down), I remember that the first step in the process is for an Anonce to go from the AP to the STA. This makes me wonder if (in the pic of the first packet) the entry "WPA Key Nonce: f2ba914be4b17a807d7b2db61e1f814e47f97d334e6bf718.. ." is what that Anonce refers to? If I got it correct, what I'm seeing is the AP sending an Anonce to the STA (& then the STA, or client, can go ahead with making the PTK)?
Moving on to look at the 2nd packet (see "mh_pckt2.png") I can see that this one also has a replay counter of 0, so that's good. If I'm looking at the process of the STA sending an Snonce to the AP (together with a MIC), then I guess "WPA Key Nonce: d28cd01c5983d08156ffb305cf86d01810e5ac804e0f4d6c.. ." would be that Snonce that it's talking about. Looking at Wireshark's top pane, I'm thinking that the Source = 86:1b:5e:42:b3:27 must be the router (since that's the AP), and that Source = IntelCor_e0:85:dd must be the device that I was authenticating on (since that's the STA)? From the way that I understood this step in the handshake, the STA is also supposed to send a MIC, including authentication, which is really an MAIC. "Okay", I'm thinking, "I don't need to learn ALL of the particulars at this stage in my learning, but just improve my Wireshark capture reading skills some." Well, looking at the pic, I'm thinking that "WPA Key MIC: 9679ad0d48a613488e68577dadc970cf" might be the MIC and "WPA Key Data: 30140100000fac040100000fac040100000fac020000" might be the PTK (although I don't exactly remember reading that the PTK gets exposes over the airwaves)?
Moving on to the 3rd packet (see "mh_pckt3.png")... This one has a replay counter of 1, so that's good. From what all I've learned about it so far, I think that this packet might be the golden goose (correct me if I'm wrong)? If I'm correct, this is the step where the AP sends a GTK and a sequence number with another MIC. Well, I don't know exactly what the GTK is, besides it maybe standing for "Global Temporal Key". Looking at the Wireshark capture for that packet, I guess the GTK might be "WPA Key Nonce: f2ba914be4b17a807d7b2db61e1f814e47f97d334e6bf718.. .", but I'd be lucky to be correct about that? The MIC looks to be "WPA Key MIC: ed8747d1f66d53e05c80171290e6a377"? And, the part that I'm really interested in is the "WPA Key Data: 12bfb55a99d08b44136c7fbf84075cebbec1d67fbf6b1f22.. ."? The entry just above that one shows its data length to be 56. Using that info along with the fact that the WPA Key Data seems to be incomplete (because it ends with "...") prompts me to look at Wireshark's bottom pane where the Hex dump is. There, the WPA Key Data is listed in its entirety? Unless I'm mistaken, isn't that WPA Key Data what I'll want to crack to get the ASCII form of the password??? If that's not the encrypted password that I'm wanting to be able to successfully authenticate with the router, then where should I look for the correct one (the last two questions are the money questions)???
As for the fourth and final packet of the handshake ("mh_pckt4.png"), I didn't look at it much, beyond checking to see if its replay counter was also 1 (which it was). There's bound to be some errors in the above text with all the copying and pasting that I was doing, and the fact that I'm still learning about the whole WPA2-PSK handshake process.

NOTE - I had written this post before knowing about it going here, so the image names that I have listed above are pretty useless. In the end, I posted all of the pics to an imgur album, instead of uploading them. The correct way that they are layed out is, from top to bottom: the four packets of the entire handshake, packet1, packet2, packet3, packet4, and a diagram of the wpa2-psk handshake process.

Thanks for any feedback, comments, or corrections on this post.