Frequently Asked Questions (FAQ)

[ZerBea]

Instead of answering the same questions over and over again I decided to open a (general) discussion.

Introduction
You might expect me to recommend that everyone should be using hcxdumptool/hcxtools. But the fact of the matter is, however, that hcxdumptool/hcxtools is NOT recommended to be used by unexperienced users or newbees.
If you are not familiar with Linux generally or if you do not have at least a basic level of knowledge as mentioned in section "Requirements", hcxdumptool/hcxtools is probably not what you are looking for.
However, if you have that knowledge there’s no better toolkit than hcxdumtool/hcxtools.

Requirements

• knowledge of radio technology
• knowledge of electromagnetic-wave engineering
• detailed knowledge of 802.11 protocol
• detailed knowledge of key derivation functions
• detailed knowledge of Linux (strict)
• detailed knowledge of filter procedures (Berkeley Packet Filter, capture filter, display filter)
• operating system: Linux (recommended: kernel >= 6.4, mandatory: kernel >= 5.10)
• recommended: Arch Linux on notebooks and desktop systems, Arch Linux Arm on Raspberry Pi >= ARMv7 systems, Raspbian OS Lite or Debian on Raspberry Pi ARMv6 systems
• chipset must be able to run in monitor mode. Recommended: MediaTek chipsets (due to active monitor mode capabilities)
• driver must (mandatory) support monitor and full frame injection mode
• gcc >= 13 recommended (deprecated versions are not supported: https://gcc.gnu.org/)
• Raspberry Pi A, B, A+, B+, Zero (WH). (Recommended: Zero (WH) or A+, because of a very low power consumption), but notebooks and desktops will work, too.
• GPIO hardware mod recommended (push button and LED) on Raspberry Pi
• to allow 5/6/7GHz packet injection, it is mandatory to uncomment a regulatory domain that support this: /etc/conf.d/wireless-regdom

If you decide to compile latest git head, make sure that your distribution is updated to latest version.

Quick start
The basic workflow is detailed explained here:
workflow
It works on hashcat as well as on JtR.

History
The changelog give an overview about the major changes of hcxtools/hcxdumptool.
More and detailed information since the tools went open source is here
history of hcxdumptool

Nonce Error Corrections
hcxtools/hcxdumptool are able to detect a packet loss during dumping the WiFi traffic and report it to hashcat so that it can be compensated.
nonce error corrections

Plain Master Key Identifier
A Plain Master Key Identifier (PMKID) is an unique key identifier used by an ACCESS POINT (AP) to keep track of a Plain Master Key (PMK) from CLIENT.
PMKID

[v74863]

I think the most-frequently-asked-question currently is:

why hcxdumptool doesn't accept some options, like
-o

The answer:
Starting with the release v6.3.0 (05.05.2023), hcxdumptool uses different options.
In other words, the syntax has changed.
Use -w instead of -o
Please see the built-in help.
Just type "hcxdumptool -h" and press Enter

[ZerBea]

Major reason to move from -o to -w is the compatibility to tshark.
hcxdumptool stores only the necessary frames to recover a PMK/PSK. To store the entire traffic, tshark can run in parallel on the same interface:

$ sudo hcxdumptool -i INTERFACE_NAME -w frames_to_recover_the_psk.pcapng -F --rds=1
$ tshark -i INTERFACE_NAME -w entiretraffic.pcapng

[v74863]

Please explain in detail why it is not recommended to set monitor mode with third-party tools (iwconfig, iw, airmon-ng).
This answer should definitely be in the FAQ.
Thanks in advance.

By the way, I noticed that tcpdump can set it using option --monitor-mode
Also there is a special script here
https://github.com/morrownr/Monitor_Mode

[ZerBea]

For two reasons:

I don't know what these scripts are exactly doing (set monitor mode, set active monitor mode, set passive monitor mode, add monitor mode, add virtual device in monitor mode, set interface rate, set bandwidth, ...).

Depending on the capabilities of the device hcxdumptool set active monitor. If that is not supported, it set monitor passive mode. Additional it set lowest bandwidth and lowest rate to increase range before it set the device operational.

If the user does not follow this recommendation, he will end up here:

[  833.723472] mt76x0u 1-1:1.0 wlan0mon: entered promiscuous mode
[  833.723480] mt76x0u 1-1:1.0 wlan0mon: entered allmulticast mode

and possible crash the driver.
#375 (comment)

Linux kernel developers decided to show a warning since kernel 6.3:
[ 542.715262] warning: iwconfig' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211`

I added this suggestions, because I'm not a friend of shared virtual monitor interfaces.

A simple example:
Plug in an USB WiFi adapter and use iw to set monitor mode:
$ sudo iw dev wlp48s0f4u2u4 set monitor none
check the state of the interface:

$ iw dev
phy#1
	Interface wlp48s0f4u2u4
		ifindex 4
		wdev 0x100000001
		addr 50:3e:aa:92:e3:26
		type monitor
		txpower 0.00 dBm
		multicast TXQ:
			qsz-byt	qsz-pkt	flows	drops	marks	overlmt	hashcol	tx-bytes	tx-packets
			0	0	0	0	0	0	0	0		0

do the same by hcdumptool:
$ sudo hcxdumptool -m wlp48s0f4u2u4

check the state of the interface:

$ iw dev
phy#2
	Interface wlp48s0f4u2u4
		ifindex 5
		wdev 0x200000001
		addr 50:3e:aa:92:e3:26
		type monitor
		channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
		txpower 14.00 dBm
		multicast TXQ:
			qsz-byt	qsz-pkt	flows	drops	marks	overlmt	hashcol	tx-bytes	tx-packets
			0	0	0	0	0	0	0	0		0

```[
it is full operational!

[ZerBea]

If someone uses tools (like iwconfig or iw) or scripts (like airmon-ng) he should know what they are doing.
If the user don't know this, he should read the help or FAQ if this tools.

[ZerBea]

Added this to help:

$ hcxdumptool --help
hcxdumptool 6.3.2-41-g23bf263  (C) 2023 ZeroBeat
...
run hcxdumptool - it will set appropriate monitor mode
...

[ZerBea]

Please allow me to ask a question:
Let's assume you are new to hcxdumptool. Why do you think it's necessary to use a third party tool like iw?

[v74863]

I'm not as swift as you, sorry.
Let's start from tcpdump, not iw

This sequence looks cumbersome and needs explanation (at least for me)

hcxdumptool -m wlan1
tcpdump -i wlan1 wlan addr3 222222222222 or wlan addr3 ffffffffffff -ddd > attack.bpf
hcxdumptool -i wlan1 -w dump.pcapng -c 1a --bpf=attack.bpf

why not just

tcpdump -i wlan1 --monitor-mode wlan addr3 222222222222 or wlan addr3 ffffffffffff -ddd > attack.bpf
hcxdumptool -i wlan1 -w dump.pcapng -c 1a --bpf=attack.bpf

Why do some people need explanations and others don't?
That's another question. Probably because people are different internally.
Some are more curious than others :)

Feel free to ask me, I'll be glad to help.

[ZerBea]

OK a tcpdump example:
Plug in the device to an USB port and run your suggestion:

$ sudo tcpdump -i wlp48s0f4u2u4  --monitor-mode wlan addr3 222222222222 or wlan addr3 ffffffffffff -ddd > attack.bpf

From man tcpdump:

      --monitor-mode
              Put  the  interface  in "monitor mode"; this is supported only on IEEE 802.11
              Wi-Fi interfaces, and supported only on some operating systems.

              Note that in monitor mode the adapter might  disassociate  from  the  network
              with  which it's associated, so that you will not be able to use any wireless
              networks with that adapter.  This could prevent accessing files on a  network
              server, or resolving host names or network addresses, if you are capturing in
              monitor mode and are not connected to another network with another adapter.

              This flag will affect the output of the -L flag.  If -I isn't specified, only
              those  link-layer  types available when not in monitor mode will be shown; if
              -I is specified, only those link-layer types available when in  monitor  mode
              will be shown.

The interface should be in monitor mode.

But it is not!

$ iw dev
phy#3
	Interface wlp48s0f4u2u4
		ifindex 7
		wdev 0x300000001
		addr 50:3e:aa:92:e3:26
		type managed
		txpower 14.00 dBm
		multicast TXQ:
			qsz-byt	qsz-pkt	flows	drops	marks	overlmt	hashcol	tx-bytes	tx-packets
			0	0	0	0	0	0	0	0		0

the same running hcxdumptool:

$ sudo hcxdumptool -m wlp48s0f4u2u4

Requesting physical interface capabilities. This may take some time.
Please be patient...

interface information:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  4   9 503eaa92e326 503eaa92e326 * wlp48s0f4u2u4    mt76x0u (NETLINK)

available frequencies: frequency [channel] tx-power of Regulatory Domain: DE

  2412 [  1] 14.0 dBm	  2417 [  2] 14.0 dBm	  2422 [  3] 14.0 dBm	  2427 [  4] 14.0 dBm
  2432 [  5] 14.0 dBm	  2437 [  6] 14.0 dBm	  2442 [  7] 14.0 dBm	  2447 [  8] 14.0 dBm
  2452 [  9] 14.0 dBm	  2457 [ 10] 14.0 dBm	  2462 [ 11] 14.0 dBm	  2467 [ 12] 14.0 dBm
  2472 [ 13] 14.0 dBm	  2484 [ 14] disabled	  5180 [ 36] 17.0 dBm	  5200 [ 40] 17.0 dBm
  5220 [ 44] 17.0 dBm	  5240 [ 48] 17.0 dBm	  5260 [ 52] 17.0 dBm	  5280 [ 56] 17.0 dBm
  5300 [ 60] 17.0 dBm	  5320 [ 64] 17.0 dBm	  5500 [100] 17.0 dBm	  5520 [104] 17.0 dBm
  5540 [108] 17.0 dBm	  5560 [112] 17.0 dBm	  5580 [116] 17.0 dBm	  5600 [120] 17.0 dBm
  5620 [124] 17.0 dBm	  5640 [128] 17.0 dBm	  5660 [132] 17.0 dBm	  5680 [136] 17.0 dBm
  5700 [140] 17.0 dBm	  5720 [144] 13.0 dBm	  5745 [149] 13.0 dBm	  5765 [153] 13.0 dBm
  5785 [157] 13.0 dBm	  5805 [161] 13.0 dBm	  5825 [165] 13.0 dBm	  5845 [169] 13.0 dBm
  5865 [173] 13.0 dBm	  5885 [177] disabled

monitor mode is active...

As expected, the interface is in full operational monitor mode;

$ iw dev
phy#4
	Interface wlp48s0f4u2u4
		ifindex 9
		wdev 0x400000001
		addr 50:3e:aa:92:e3:26
		type monitor
		channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
		txpower 14.00 dBm
		multicast TXQ:
			qsz-byt	qsz-pkt	flows	drops	marks	overlmt	hashcol	tx-bytes	tx-packets
			0	0	0	0	0	0	0	0		0
$ sudo tcpdump -i wlp48s0f4u2u4  wlan addr3 222222222222 or wlan addr3 ffffffffffff -ddd > attack.bpf

I'm sure you see the difference.

If you use tcpdump, you should know its limitations.
If you use iwconfig, you should know its limitations.
If you use iw, you should know its limitations.
If you use a scipt, you should know its limitations.

If you use hcxdumptool you should know that you don't need a third party tool. To avoid all this different states of monitor modes, hcxdumptool set an set appropriate monitor mode.

My experience:
If the FAQ are too long, nobody will read them.
If the help menu is too long, nobody will read it.

[ZerBea]

That was the bright site of tcpdump monitor mode.
Now the dark site:
tcpdump add a virtual monitor interface to the existing interface:

[ 2160.328341] mt76x0u 5-2.4:1.0 mon0: entered promiscuous mode
[ 2160.396850] mt76x0u 5-2.4:1.0 mon0 (unregistering): left promiscuous mode

hcxdumptool not:

[  318.396161] mt76x0u 5-2.4:1.0 wlp48s0f4u2u4: entered promiscuous mode
[  318.439780] mt76x0u 5-2.4:1.0 wlp48s0f4u2u4: left promiscuous mode

[ZerBea]

Of course, an experienced user can run a third party tool or a script to set monitor mode. He should know how to fix problems.
An unexperienced user should follow the recommendations here.
I can't add all this to FAQ's or help, because this would go far beyond the scope, e.g.:

set an appropriate monitor mode by iwconfig
set an appropriate monitor mode by iw
set an appropriate monitor mode by tcpdump
set an appropriate monitor mode by a script

If you have some more questions, feel free to ask.

[v74863]

Wait...

this command doesn't work

% tcpdump -i wlan1 --monitor-mode wlan addr3 222222222222 or wlan addr3 ffffffffffff -ddd > attack.bpf
tcpdump: wlan1: You don't have permission to perform this capture on that device
(socket: Operation not permitted)

this command doesn't work either

% sudo tcpdump -i wlan1 wlan addr3 222222222222 or wlan addr3 ffffffffffff -ddd > attack.bpf
tcpdump: 'addr3' and 'address3' are only supported on 802.11 with 802.11 headers

only this command works

% sudo tcpdump -i wlan1 --monitor-mode wlan addr3 222222222222 or wlan addr3 ffffffffffff -ddd > attack.bpf

Looks like tcpdump set monitor mode only for itself.

Two lines are enough, in my experience

% sudo tcpdump -i wlan1 --monitor-mode wlan addr3 222222222222 or wlan addr3 ffffffffffff -ddd > attack.bpf
% sudo hcxdumptool -i wlan1 -w dump.pcapng -c 1a --bpf=attack.bpf

I agree, no one will read a lengthy FAQ.
Choose the 10 questions you've been asked most often.

[ZerBea]

For sure it is enough and it will work.
It will add an additional monitor interface and it will unregister this additional monitor interface (by tcpdump).

But if something went wrong, like here (done by iwconfig)
#375 (comment)
it is up to the experienced user to handle it.

To avoid problems (by e.g. additional virtual interfaces) my recommendation is to plug in the USB device.
To stop all services that take access to it.
To run hcxdumptool on it.

This command can't work, because the interface is not up.

$ sudo tcpdump -i wlan1 wlan addr3 222222222222 or wlan addr3 ffffffffffff -ddd > attack.bpf
tcpdump: 'addr3' and 'address3' are only supported on 802.11 with 802.11 headers

tcpdump need an operational interface.

This command will work, because tcpdump got an operational interface done by hcxdumptool:

$ sudo hcxdumptool -m wlan1
$ sudo tcpdump -i wlan1 wlan addr3 222222222222 or wlan addr3 ffffffffffff -ddd > attack.bpf

Here tcpdump build the filter on a virtual interface (mon0), done by itself:
$ sudo tcpdump -i wlan1 --monitor-mode wlan addr3 222222222222 or wlan addr3 ffffffffffff -ddd > attack.bpf

So why should man create a filter on a virtual interface instead of using the same interface that is used for the attacks?

[ZerBea]

By this commit:
320d2ca
I added a simple example to create BPF code via tcpdump without(!) using monitor mode:

$ hcxdumptool -h
hcxdumptool 6.3.2-42-g320d2ca  (C) 2023 ZeroBeat
usage: hcxdumptool <options>
...
                  steps to create a BPF (it only has to be done once):
                  create BPF to protect MACs (recommended to protect own devices)
                   $ tcpdump -y IEEE802_11_RADIO not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
                  create BPF to attack a MAC
                   $ tcpdump -y IEEE802_11_RADIO wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf
                   it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt or wlan_subtype probe-req)
                   $ tcpdump -y IEEE802_11_RADIO wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf
                  see man pcap-filter for a list of all filter options
                  add BPF code: 
                   $ hcxdumptool -i <INTERFACE> --bpf=attack.bpf ...

Please notice:
This is only one basic example of hundreds to create a Berkeley Packet Filter.
And tcpdump is only one of these examples:
https://www.tcpdump.org/

[ZerBea]

By latest commit:
17b23cd
the the function read_bpf has been completely refactored.

The same applies to help.

$ hcxdumptool -h
hcxdumptool 6.3.2-43-g17b23cd  (C) 2023 ZeroBeat
...
--bpf=<file>   : input Berkeley Packet Filter (BPF) code (maximum 4096 instructions) in tcpdump raw format
                  example: tcpdump high level syntax:
                   $ tcpdump -y IEEE802_11_RADIO wlan addr3 11:22:33:44:55:66 -ddd > filter.bpf
                   see man pcap-filter
                  example: bpfc low level syntax:
                   $ bpfc -f tcpdump -i filter.asm > filter.bpf
                   see man bpfc

From now on, hcxdumptool accept raw BPF code, e.g. compiled by tcpdump (high level language) or by bpfc (low level assembly language)

[v74863]

I meant not sorted by RSSI, but with RSSI information in rcascan output a la version 6.2.9
#133

[ZerBea]

Yes, I know. But the entire radiotap header tag walk has been removed due to performance reasons.

To get the relative RSSI we have to walk through the entire radio tap header on every received packet:

Radiotap Header v0, Length 24
    Header revision: 0
    Header pad: 0
    Header length: 24
    Present flags
        Present flags word: 0xa000402e
            .... .... .... .... .... .... .... ...0 = TSFT: Absent
            .... .... .... .... .... .... .... ..1. = Flags: Present
            .... .... .... .... .... .... .... .1.. = Rate: Present
            .... .... .... .... .... .... .... 1... = Channel: Present
            .... .... .... .... .... .... ...0 .... = FHSS: Absent
            .... .... .... .... .... .... ..1. .... = dBm Antenna Signal: Present
            .... .... .... .... .... .... .0.. .... = dBm Antenna Noise: Absent
            .... .... .... .... .... .... 0... .... = Lock Quality: Absent
            .... .... .... .... .... ...0 .... .... = TX Attenuation: Absent
            .... .... .... .... .... ..0. .... .... = dB TX Attenuation: Absent
            .... .... .... .... .... .0.. .... .... = dBm TX Power: Absent
            .... .... .... .... .... 0... .... .... = Antenna: Absent
            .... .... .... .... ...0 .... .... .... = dB Antenna Signal: Absent
            .... .... .... .... ..0. .... .... .... = dB Antenna Noise: Absent
            .... .... .... .... .1.. .... .... .... = RX flags: Present
            .... .... .... .... 0... .... .... .... = TX flags: Absent
            .... .... .... ..0. .... .... .... .... = data retries: Absent
            .... .... .... .0.. .... .... .... .... = Channel+: Absent
            .... .... .... 0... .... .... .... .... = MCS information: Absent
            .... .... ...0 .... .... .... .... .... = A-MPDU Status: Absent
            .... .... ..0. .... .... .... .... .... = VHT information: Absent
            .... .... .0.. .... .... .... .... .... = frame timestamp: Absent
            .... .... 0... .... .... .... .... .... = HE information: Absent
            .... ...0 .... .... .... .... .... .... = HE-MU information: Absent
            .... .0.. .... .... .... .... .... .... = 0 Length PSDU: Absent
            .... 0... .... .... .... .... .... .... = L-SIG: Absent
            .... ..0. .... .... .... .... .... .... = Reserved: 0x0
            ...0 .... .... .... .... .... .... .... = TLVs: Absent
            ..1. .... .... .... .... .... .... .... = Radiotap NS next: True
            .0.. .... .... .... .... .... .... .... = Vendor NS next: False
            1... .... .... .... .... .... .... .... = Ext: Present
        Present flags word: 0x00000820
            .... .... .... .... .... .... .... ...0 = TSFT: Absent
            .... .... .... .... .... .... .... ..0. = Flags: Absent
            .... .... .... .... .... .... .... .0.. = Rate: Absent
            .... .... .... .... .... .... .... 0... = Channel: Absent
            .... .... .... .... .... .... ...0 .... = FHSS: Absent
            .... .... .... .... .... .... ..1. .... = dBm Antenna Signal: Present
            .... .... .... .... .... .... .0.. .... = dBm Antenna Noise: Absent
            .... .... .... .... .... .... 0... .... = Lock Quality: Absent
            .... .... .... .... .... ...0 .... .... = TX Attenuation: Absent
            .... .... .... .... .... ..0. .... .... = dB TX Attenuation: Absent
            .... .... .... .... .... .0.. .... .... = dBm TX Power: Absent
            .... .... .... .... .... 1... .... .... = Antenna: Present
            .... .... .... .... ...0 .... .... .... = dB Antenna Signal: Absent
            .... .... .... .... ..0. .... .... .... = dB Antenna Noise: Absent
            .... .... .... .... .0.. .... .... .... = RX flags: Absent
            .... .... .... .... 0... .... .... .... = TX flags: Absent
            .... .... .... ..0. .... .... .... .... = data retries: Absent
            .... .... .... .0.. .... .... .... .... = Channel+: Absent
            .... .... .... 0... .... .... .... .... = MCS information: Absent
            .... .... ...0 .... .... .... .... .... = A-MPDU Status: Absent
            .... .... ..0. .... .... .... .... .... = VHT information: Absent
            .... .... .0.. .... .... .... .... .... = frame timestamp: Absent
            .... .... 0... .... .... .... .... .... = HE information: Absent
            .... ...0 .... .... .... .... .... .... = HE-MU information: Absent
            .... .0.. .... .... .... .... .... .... = 0 Length PSDU: Absent
            .... 0... .... .... .... .... .... .... = L-SIG: Absent
            .... ..0. .... .... .... .... .... .... = Reserved: 0x0
            ...0 .... .... .... .... .... .... .... = TLVs: Absent
            ..0. .... .... .... .... .... .... .... = Radiotap NS next: False
            .0.. .... .... .... .... .... .... .... = Vendor NS next: False
            0... .... .... .... .... .... .... .... = Ext: Absent
    Flags: 0x00
        .... ...0 = CFP: False
        .... ..0. = Preamble: Long
        .... .0.. = WEP: False
        .... 0... = Fragmentation: False
        ...0 .... = FCS at end: False
        ..0. .... = Data Pad: False
        .0.. .... = Bad FCS: False
        0... .... = Short GI: False
    Data Rate: 1,0 Mb/s
    Channel frequency: 2437 [BG 6]
    Channel flags: 0x00a0, Complementary Code Keying (CCK), 2 GHz spectrum
        .... .... .... ...0 = 700 MHz spectrum: False
        .... .... .... ..0. = 800 MHz spectrum: False
        .... .... .... .0.. = 900 MHz spectrum: False
        .... .... ...0 .... = Turbo: False
        .... .... ..1. .... = Complementary Code Keying (CCK): True
        .... .... .0.. .... = Orthogonal Frequency-Division Multiplexing (OFDM): False
        .... .... 1... .... = 2 GHz spectrum: True
        .... ...0 .... .... = 5 GHz spectrum: False
        .... ..0. .... .... = Passive: False
        .... .0.. .... .... = Dynamic CCK-OFDM: False
        .... 0... .... .... = Gaussian Frequency Shift Keying (GFSK): False
        ...0 .... .... .... = GSM (900MHz): False
        ..0. .... .... .... = Static Turbo: False
        .0.. .... .... .... = Half Rate Channel (10MHz Channel Width): False
        0... .... .... .... = Quarter Rate Channel (5MHz Channel Width): False
    Antenna signal: -80 dBm
    RX flags: 0x0000
        .... .... .... .... .... ..0. = Bad PLCP: False
    Antenna signal: -80 dBm
    Antenna: 0

It will be much better to add an additional sort by "AP is an range" than doing this excessive talk walk.

[ZerBea]

BTW;
My ACM has 2 antennas and they have a different RSSI

    Antenna signal: -86 dBm
    Antenna: 0
    Antenna signal: -88 dBm
    Antenna: 1

Dependent on the antennas, the radiotap header will grow up:

Radiotap Header v0, Length 30
    Header revision: 0
    Header pad: 0
    Header length: 30
    Present flags
        Present flags word: 0xa000402e
            .... .... .... .... .... .... .... ...0 = TSFT: Absent
            .... .... .... .... .... .... .... ..1. = Flags: Present
            .... .... .... .... .... .... .... .1.. = Rate: Present
            .... .... .... .... .... .... .... 1... = Channel: Present
            .... .... .... .... .... .... ...0 .... = FHSS: Absent
            .... .... .... .... .... .... ..1. .... = dBm Antenna Signal: Present
            .... .... .... .... .... .... .0.. .... = dBm Antenna Noise: Absent
            .... .... .... .... .... .... 0... .... = Lock Quality: Absent
            .... .... .... .... .... ...0 .... .... = TX Attenuation: Absent
            .... .... .... .... .... ..0. .... .... = dB TX Attenuation: Absent
            .... .... .... .... .... .0.. .... .... = dBm TX Power: Absent
            .... .... .... .... .... 0... .... .... = Antenna: Absent
            .... .... .... .... ...0 .... .... .... = dB Antenna Signal: Absent
            .... .... .... .... ..0. .... .... .... = dB Antenna Noise: Absent
            .... .... .... .... .1.. .... .... .... = RX flags: Present
            .... .... .... .... 0... .... .... .... = TX flags: Absent
            .... .... .... ..0. .... .... .... .... = data retries: Absent
            .... .... .... .0.. .... .... .... .... = Channel+: Absent
            .... .... .... 0... .... .... .... .... = MCS information: Absent
            .... .... ...0 .... .... .... .... .... = A-MPDU Status: Absent
            .... .... ..0. .... .... .... .... .... = VHT information: Absent
            .... .... .0.. .... .... .... .... .... = frame timestamp: Absent
            .... .... 0... .... .... .... .... .... = HE information: Absent
            .... ...0 .... .... .... .... .... .... = HE-MU information: Absent
            .... .0.. .... .... .... .... .... .... = 0 Length PSDU: Absent
            .... 0... .... .... .... .... .... .... = L-SIG: Absent
            .... ..0. .... .... .... .... .... .... = Reserved: 0x0
            ...0 .... .... .... .... .... .... .... = TLVs: Absent
            ..1. .... .... .... .... .... .... .... = Radiotap NS next: True
            .0.. .... .... .... .... .... .... .... = Vendor NS next: False
            1... .... .... .... .... .... .... .... = Ext: Present
        Present flags word: 0xa0000820
            .... .... .... .... .... .... .... ...0 = TSFT: Absent
            .... .... .... .... .... .... .... ..0. = Flags: Absent
            .... .... .... .... .... .... .... .0.. = Rate: Absent
            .... .... .... .... .... .... .... 0... = Channel: Absent
            .... .... .... .... .... .... ...0 .... = FHSS: Absent
            .... .... .... .... .... .... ..1. .... = dBm Antenna Signal: Present
            .... .... .... .... .... .... .0.. .... = dBm Antenna Noise: Absent
            .... .... .... .... .... .... 0... .... = Lock Quality: Absent
            .... .... .... .... .... ...0 .... .... = TX Attenuation: Absent
            .... .... .... .... .... ..0. .... .... = dB TX Attenuation: Absent
            .... .... .... .... .... .0.. .... .... = dBm TX Power: Absent
            .... .... .... .... .... 1... .... .... = Antenna: Present
            .... .... .... .... ...0 .... .... .... = dB Antenna Signal: Absent
            .... .... .... .... ..0. .... .... .... = dB Antenna Noise: Absent
            .... .... .... .... .0.. .... .... .... = RX flags: Absent
            .... .... .... .... 0... .... .... .... = TX flags: Absent
            .... .... .... ..0. .... .... .... .... = data retries: Absent
            .... .... .... .0.. .... .... .... .... = Channel+: Absent
            .... .... .... 0... .... .... .... .... = MCS information: Absent
            .... .... ...0 .... .... .... .... .... = A-MPDU Status: Absent
            .... .... ..0. .... .... .... .... .... = VHT information: Absent
            .... .... .0.. .... .... .... .... .... = frame timestamp: Absent
            .... .... 0... .... .... .... .... .... = HE information: Absent
            .... ...0 .... .... .... .... .... .... = HE-MU information: Absent
            .... .0.. .... .... .... .... .... .... = 0 Length PSDU: Absent
            .... 0... .... .... .... .... .... .... = L-SIG: Absent
            .... ..0. .... .... .... .... .... .... = Reserved: 0x0
            ...0 .... .... .... .... .... .... .... = TLVs: Absent
            ..1. .... .... .... .... .... .... .... = Radiotap NS next: True
            .0.. .... .... .... .... .... .... .... = Vendor NS next: False
            1... .... .... .... .... .... .... .... = Ext: Present
        Present flags word: 0x00000820
            .... .... .... .... .... .... .... ...0 = TSFT: Absent
            .... .... .... .... .... .... .... ..0. = Flags: Absent
            .... .... .... .... .... .... .... .0.. = Rate: Absent
            .... .... .... .... .... .... .... 0... = Channel: Absent
            .... .... .... .... .... .... ...0 .... = FHSS: Absent
            .... .... .... .... .... .... ..1. .... = dBm Antenna Signal: Present
            .... .... .... .... .... .... .0.. .... = dBm Antenna Noise: Absent
            .... .... .... .... .... .... 0... .... = Lock Quality: Absent
            .... .... .... .... .... ...0 .... .... = TX Attenuation: Absent
            .... .... .... .... .... ..0. .... .... = dB TX Attenuation: Absent
            .... .... .... .... .... .0.. .... .... = dBm TX Power: Absent
            .... .... .... .... .... 1... .... .... = Antenna: Present
            .... .... .... .... ...0 .... .... .... = dB Antenna Signal: Absent
            .... .... .... .... ..0. .... .... .... = dB Antenna Noise: Absent
            .... .... .... .... .0.. .... .... .... = RX flags: Absent
            .... .... .... .... 0... .... .... .... = TX flags: Absent
            .... .... .... ..0. .... .... .... .... = data retries: Absent
            .... .... .... .0.. .... .... .... .... = Channel+: Absent
            .... .... .... 0... .... .... .... .... = MCS information: Absent
            .... .... ...0 .... .... .... .... .... = A-MPDU Status: Absent
            .... .... ..0. .... .... .... .... .... = VHT information: Absent
            .... .... .0.. .... .... .... .... .... = frame timestamp: Absent
            .... .... 0... .... .... .... .... .... = HE information: Absent
            .... ...0 .... .... .... .... .... .... = HE-MU information: Absent
            .... .0.. .... .... .... .... .... .... = 0 Length PSDU: Absent
            .... 0... .... .... .... .... .... .... = L-SIG: Absent
            .... ..0. .... .... .... .... .... .... = Reserved: 0x0
            ...0 .... .... .... .... .... .... .... = TLVs: Absent
            ..0. .... .... .... .... .... .... .... = Radiotap NS next: False
            .0.. .... .... .... .... .... .... .... = Vendor NS next: False
            0... .... .... .... .... .... .... .... = Ext: Absent
    Flags: 0x00
        .... ...0 = CFP: False
        .... ..0. = Preamble: Long
        .... .0.. = WEP: False
        .... 0... = Fragmentation: False
        ...0 .... = FCS at end: False
        ..0. .... = Data Pad: False
        .0.. .... = Bad FCS: False
        0... .... = Short GI: False
    Data Rate: 1,0 Mb/s
    Channel frequency: 2437 [BG 6]
    Channel flags: 0x00a0, Complementary Code Keying (CCK), 2 GHz spectrum
        .... .... .... ...0 = 700 MHz spectrum: False
        .... .... .... ..0. = 800 MHz spectrum: False
        .... .... .... .0.. = 900 MHz spectrum: False
        .... .... ...0 .... = Turbo: False
        .... .... ..1. .... = Complementary Code Keying (CCK): True
        .... .... .0.. .... = Orthogonal Frequency-Division Multiplexing (OFDM): False
        .... .... 1... .... = 2 GHz spectrum: True
        .... ...0 .... .... = 5 GHz spectrum: False
        .... ..0. .... .... = Passive: False
        .... .0.. .... .... = Dynamic CCK-OFDM: False
        .... 0... .... .... = Gaussian Frequency Shift Keying (GFSK): False
        ...0 .... .... .... = GSM (900MHz): False
        ..0. .... .... .... = Static Turbo: False
        .0.. .... .... .... = Half Rate Channel (10MHz Channel Width): False
        0... .... .... .... = Quarter Rate Channel (5MHz Channel Width): False
    Antenna signal: -84 dBm
    RX flags: 0x0000
        .... .... .... .... .... ..0. = Bad PLCP: False
    Antenna signal: -86 dBm
    Antenna: 0
    Antenna signal: -88 dBm
    Antenna: 1

As you can see, the driver reported 3 different RSSI's:
Antenna signal: -84 dBm
Antenna signal: -86 dBm
Antenna signal: -88 dBm
and we do not know if the target is really in RANGE.

And some devices have 4 or more antennas...

Shall I really re-implement this "meaningless" feature to display a relative RSSI.

[ZerBea]

Added PROBEREQUEST counter to rcascan mode.
Added option to sort rcascan display by PROBEREQUEST counter.
by this commit:
51ea40c

This new feature has no performance impact.

BTW:
There are some interesting introductions about RSSI:
https://duckduckgo.com/?t=ffab&q=wifi+signal+strength+basics&ia=web
especially this one:
https://www.commscope.com/blog/2015/understanding-wi-fi-signal-strength-vs.-wi-fi-speed/
and for newbies this one:
https://www.securedgenetworks.com/blog/wifi-signal-strength
or this one:
https://en.wikipedia.org/wiki/Received_signal_strength_indicator

I prefer a spectrum analyzer for these measurements.

[v74863]

rcascan with PROBERESPONSE sorting works, thank you.
But I keep version 6.2.9 just in case.
I like your posts, a lot of interesting info, despite I'm not a newbie.

[ZerBea]

RSSI is described in IEEE 802.11 (I think table 20). Unfortunately it is not standard and every vendor is handling this different.

Unfortunately I often feel like a newbie. Everyday I learn something new.

[v74863]

I know that I know nothing
https://en.wikipedia.org/wiki/I_know_that_I_know_nothing

[ZerBea]

I agree, me too.

[ZerBea]

To make that more clear:
RSSI is important for passive dumpers (one way: receive only), but it is completely useless for hcxdumptool (two way: receive and transmit).
It might be a nice to have for a user to see this relative value (vendor specific and not standardized), but the price tag to get it (tag walk through the entire radiotap header on every incoming frame) is huge.
It is mandatory for an interactive to respond just in time. That is not possible if all this nice to have features are implemented.

It's not even necessary to run hcxdumptool with a status display. It can be completely disabled by Make file (hedless operation). Running with a good filter and the correct options, hcxdumptool will exactly do what is expected.

However, if you really need the RSSI, you can get it via hcxpcapngtool offline.

[v74863]

it would be nice to remove the square brackets in both rcascan and attack mode.
They make it harder to absorb info (at least for my eyes).
I think it's better just add two spaces between ESSID and number of responces.
ESSID header shifted a little to the left, please correct.

  CHA  FREQ   BEACON  RESPONSE S   MAC-AP   ESSID  SCAN-FREQUENCY:   2437
--------------------------------------------------------------------------
 [  6  2437] 12:55:43 12:55:43 + 112233445566 Test_AP [26]


 CHA  FREQ   BEACON  RESPONSE S   MAC-AP     ESSID       SCAN-FREQ:  2437
--------------------------------------------------------------------------
   6  2437  12:55:43 12:55:43 + 112233445566 Test_AP  26

BTW, is there a future for hcxdumptool if all devices use WPA3?
I mean pure WPA3, not compatibility mode WPA2/WPA3 Transitional.

[ZerBea]

By latest commit the brackets CHA & FREQ have been removed. To distinguish between ESSID and PR counter, this brackets have not been removed.

   6  2437  12:55:43 12:55:43 + 112233445566 Test_AP 1  [26]
   6  2437  12:55:44 12:55:43 + 112233445566 Test_AP 456 [56]
   6  2437  12:55:45 12:55:43 + 112233445566 Test_AP_ABC [90]
   6  2437  12:55:46 12:55:43 + 112233445566 Test_AP _NEW_123 [1234]
   6  2437  12:55:47 12:55:43 + 112233445566 Test_AP  255 [55]

is more readable than
   6  2437  12:55:43 12:55:43 + 112233445566 Test_AP 1   26
   6  2437  12:55:44 12:55:43 + 112233445566 Test_AP 456   56
   6  2437  12:55:45 12:55:43 + 112233445566 Test_AP_ABC  90
   6  2437  12:55:46 12:55:43 + 112233445566 Test_AP _NEW_123  1234
   6  2437  12:55:47 12:55:43 + 112233445566 Test_AP  255  55

I'm working on SAE. This requires direct cooperation between hcxdumptool and hashcat.

[v74863]

Typo in hcxdumptool --help
packets are not stored to tum file

instead of
packets are not stored to dump file

run hcxdumptool - it will set an appropriate monitor mode
 scan for ACCESS POINTS in range (packets are not stored to tum file, not in combination with attack modes)

[ZerBea]

Thanks, fixed.

[gideondakore]

Why are these flags "--disable_client_attacks", --enable_status=3 not working again and showing 'hcxdumptool: unrecognized option '--disable_client_attacks'' , 'hcxdumptool: unrecognized option '--enable_status=3''.

what are the replacement flags?

[ZerBea]

Since version 6.3.0 several options have been changed (as mentioned in changelog):

03.05.2023
==========
hcxdumptool: changed/added several options:
$ hcxdumptool --help
hcxdumptool 6.2.9-161-gf581815  (C) 2023 ZeroBeat
usage: hcxdumptool <options>
        first stop all services that take access to the interface, e.g.:
        $ sudo systemctl stop NetworkManager.service
        $ sudo systemctl stop wpa_supplicant.service
        then run hcxdumptool
        press ctrl+c to terminate
        press GPIO button to terminate
        hardware modification is necessary, read more:
        https://github.com/ZerBea/hcxdumptool/tree/master/docs
        stop all services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface
        do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
        do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
        do not use virtual machines or emulators
        do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)
        do not use tools to change MAC (like macchanger)
        do not merge (pcapng) dump files, because this destroys assigned hash values!

short options:
-i <INTERFACE> : name of INTERFACE to be used
                  default: first suitable INTERFACE
                  warning: hcxdumptool changes the virtual MAC address of the INTERFACE
-w <outfile>   : write packets to a pcapng-format file named <outfile>
                  default outfile name: yyyyddmmhhmmss-interfacename.pcapng
                  get more information: https://pcapng.com/
-c <digit>     : set channel (1a,2a,36b...)
                  default: 1a,6a,11a
                  important notice: channel numbers are not unique
                  it is mandatory to add band information to the channel number (e.g. 12a)
                   band a: NL80211_BAND_2GHZ
                   band b: NL80211_BAND_5GHZ
                   band c: NL80211_BAND_6GHZ
                   band d: NL80211_BAND_60GHZ
                   band e: NL80211_BAND_S1GHZ (902 MHz)
                  to disable frequency management, set this option to a single frequency/channel
-f <digit>     : set frequency (2412,2417,5180,...)
-F             : use available frequencies from INTERFACE
-t <second>    : minimum stay time (will increase on new stations and/or authentications)
                  default 1 seconds
-m <INTERFACE> : set monitor mode and terminate
-L             : show INTERFACE list
-I <INTERFACE> : show detailed information about INTERFACE
-h             : show this help
-v             : show version

long options:
--bpf=<file>                   : input kernel space Berkeley Packet Filter (BPF) code
                                  steps to create a BPF (it only has to be done once):
                                  $ hcxdumptool -m <interface>
                                  create BPF to protect MACs
                                  $ tcpdump -i <INTERFACE> not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
                                  recommended to protect own devices
                                  create BPF to attack a MAC
                                  $ tcpdump -i <INTERFACE> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf
                                  it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)
                                  $ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf
                                  see man pcap-filter for a list of all filter options
                                  add BPF code: 
                                  $ hcxdumptool -i <INTERFACE> --bpf=attack.bpf ...
--disable_beacon               : do not transmit BEACON frames
--disable_deauthentication     : do not transmit DEAUTHENTICATION/DISASSOCIATION frames
--disable_proberequest         : do not transmit PROBEREQUEST frames
--disable_association          : do not AUTHENTICATE/ASSOCIATE
--disable_reassociation        : do not REASSOCIATE a CLIENT
--beacontx=<digit>             : transmit BEACON of first n entries of ESSID list
                                 default: 10
--proberesponsetx=<digit>      : transmit PROBERESPONSEs of first n entries of ESSID list
                                 default: 10
--essidlist=<file>             : initialize ESSID list with these ESSIDs
--errormax=<digit>             : set maximum allowed ERRORs
                                 default: 100 ERRORs
--watchdogmax=<seconds>        : set maximum TIMEOUT when no packets received
                                 default: 600 seconds
--attemptclientmax=<digit>     : set maximum of attempts to request an EAPOL M2
                                 default: 10 attempts
--attemptapmax=<digit>         : set maximum of received BEACONs to request a PMKID or to get a 4-way handshake
                                 default: stop after 4 received BEACONs
--tot=<digit>                  : enable timeout timer in minutes
--onsigterm=<action>           : action when the program has been terminated (poweroff, reboot)
                                  poweroff: power off system
                                  reboot:   reboot system
--ongpiobutton=<action>        : action when the program has been terminated (poweroff, reboot)
                                  poweroff: power off system
                                  reboot:   reboot system
--ontot=<action>               : action when the program has been terminated (poweroff, reboot)
                                  poweroff: power off system
                                  reboot:   reboot system
--onwatchdog=<action>          : action when the program has been terminated (poweroff, reboot)
                                  poweroff: power off system
                                  reboot:   reboot system
--onerror=<action>             : action when the program has been terminated (poweroff, reboot)
                                  poweroff: power off system
                                  reboot:   reboot system
--gpio_button=<digit>          : Raspberry Pi GPIO pin number of button (2...27)
                                  push GPIO button (> 10 seconds) to terminate program
                                  default: 0 (GPIO not in use)
--gpio_statusled=<digit>       : Raspberry Pi GPIO number of status LED (2...27)
                                  default: 0 (GPIO not in use)
--nmea_dev=<NMEA device>       : open NMEA device (/dev/ttyACM0, /dev/tty/USB0, ...)
                                  baudrate = BD9600
--gpsd                         : use gpsd to get position
                                  gpsd will be switched to NMEA0183 mode
--nmea_out=<outfile>           : write GPS information to a nmea-format file named <outfile>
                                  default outfile name: yyyymmddhhmmss.nmea
                                  output: NMEA 0183 standard messages:
                                          $GPRMC: Position, velocity, time and date
                                          $GPGGA: Position, orthometric height, fix related data, time
                                          $GPWPL: Position and MAC AP
                                          $GPTXT: ESSID in HEX ASCII
                                  use gpsbabel to convert to other formats:
                                   gpsbabel -w -t -i nmea -f in_file.nmea -o gpx -F out_file.gpx
                                   gpsbabel -w -t -i nmea -f in_file.nmea -o kml -F out_file.kml
                                  get more information: https://en.wikipedia.org/wiki/NMEA_0183
--rcascan=<character>          : do (R)adio (C)hannel (A)ssignment scan
                                  default = passive scan
                                  a = active scan
                                  p = passive scan
--rds=<digit>                  : sort real time display
                                  default: sort by time (last seen on top)
                                  1 = sort by status (last PMKID/EAPOL on top)
--help                         : show this help
--version                      : show version

Legend
real time display:
 R = + AP display:     AP is in TX range or under attack
 S = + AP display:     AUTHENTICATION KEY MANAGEMENT PSK
 P = + AP display:     got PMKID
 1 = + AP display:     got EAPOL M1 (CHALLENGE)
 3 = + AP display:     got EAPOL M1M2M3 (AUTHORIZATION)
 E = + CLIENT display: got EAP-START MESSAGE
 2 = + CLIENT display: got EAPOL M1M2 (ROGUE CHALLENGE)
Notice:
This is a penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
To store entire traffic, run <tshark -i <interface> -w allframes.pcapng> in parallel

"disable_client_attacks" has been replaced by "attemptclientmax" as explained in help:

--attemptclientmax=<digit>: set maximum of attempts to request an EAPOL M2
                             default: 10 attempts
                             to disable CLIENT attacks set 0

"enable_status" has been replaced by "rds" as explained in help:

--rds=<digit>             : sort real time display
                             attack mode:
                              default: sort by time (last seen on top)
                               1 = sort by status (last PMKID/EAPOL on top)
                             scan mode:
                               1 = sort by PROBERESPONSE count
                             Columns:
                              R = + AP display     : AP is in TX range or under attack
                              S = + AP display     : AUTHENTICATION KEY MANAGEMENT PSK
                              P = + AP display     : got PMKID hashcat / JtR can work on
                              1 = + AP display     : got EAPOL M1 (CHALLENGE)
                              3 = + AP display     : got EAPOL M1M2M3 or EAPOL M1M2M3M4 (AUTHORIZATION) hashcat / JtR can work on
                              E = + CLIENT display : got EAP-START MESSAGE
                              2 = + CLIENT display : got EAPOL M1M2 (ROGUE CHALLENGE) hashcat / JtR can work on

Reason for all this changes: better performance.