In some cases the serial number is actually captured with the handshake. You can open the cap in a text editor and scroll around and perhaps spot the SN in plain text. strings filename.cap would work, or you could use wireshark.
If the SN is not in the cap, you have still reduced the parameter space from all possible passwords to all possible serial numbers. You'll just need to generate the table of passwords that correspond to each possible serial number. It's not as daunting as you might think, as we think the SN has a production year and week in it, and thus there are only 100million or so possible. This is much less than 36^10.
But that last step requires you to read the discussion in this thread regarding SN ranges and learn a little python.
If the SN is not in the cap, you have still reduced the parameter space from all possible passwords to all possible serial numbers. You'll just need to generate the table of passwords that correspond to each possible serial number. It's not as daunting as you might think, as we think the SN has a production year and week in it, and thus there are only 100million or so possible. This is much less than 36^10.
But that last step requires you to read the discussion in this thread regarding SN ranges and learn a little python.