undirected proberequest frames.

[silan10]

this is following step i used

`sudo hcxdumptool -m wlan0

sudo tcpdump -i wlan0 wlan addr1 c4:12:f5:b0:5b:b4 or wlan addr2 c4:12:f5:b0:5b:b4 or wlan addr3 c4:12:f5:b0:5b:b4 -ddd > atac.bpf

sudo hcxdumptool -i wlan0 -c 6a --rds=1 -F --bpf=atac.bpf -w helo.pcapng

sudo hcxpcapngtool helo.pcapng -o helo.hc22000`

`--------------------
file name................................: helo.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 5.18.0-kali5-amd64
application..............................: hcxdumptool 6.3.4-14-g3693e77
interface name...........................: wlan0
interface vendor.........................: 2cd05a
openSSL version..........................: 1.0
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 980ee44c78a9 (incremented on every new client)
MAC CLIENT...............................: 980ee451cc23
REPLAYCOUNT..............................: 64748
ANONCE...................................: 1b92b1b897055e19ee08dd3be84a3c9d8388c3a83f67fc591df0f20bb579ce4a
SNONCE...................................: 0bb09373fc0ccebc1c04918f091df857b0b5415bae1d00eb617a2c5b55f196d1
timestamp minimum (GMT)..................: 30.04.2024 09:54:20
timestamp maximum (GMT)..................: 30.04.2024 10:18:26
duration of the dump tool (minutes)......: 24
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 14
frames with correct FCS..................: 14
packets received on 2.4 GHz..............: 14
ESSID (total unique).....................: 1
PROBERESPONSE (total)....................: 1
AUTHENTICATION (total)...................: 1
AUTHENTICATION (OPEN SYSTEM).............: 1
EAPOL messages (total)...................: 12
EAPOL RSN messages.......................: 12
EAPOLTIME gap (measured maximum msec)....: 836128
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 9
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M12E2 (challenge)..................: 1

frequency statistics from radiotap header (frequency: received packets)

2432: 1 2437: 13

Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK. It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.

session summary

processed pcapng files................: 1

`

[ZerBea]

Running your filter:
"wlan addr1 c4:12:f5:b0:5b:b4 or wlan addr2 c4:12:f5:b0:5b:b4 or wlan addr3 c4:12:f5:b0:5b:b4"
only frames addressed to this MAC and coming from this MAC are allowed.
All other frames are filtered out. That include undirected PROBEREQUEST frames.
Additional this filter does not allow CLIENTs to connect to hcxdumptool (especially when MAC randomization is used on CLIENT side).

BTW:
You should know that if you run tcpdump to build a filter the filter code is designed to be used by tcpdump.
Ti improve performance, hcxdumptool use a different snaplen.

I suggest to read

$ hcxdumptool -h
--bpfc=<filter>: compile Berkeley Packet Filter (BPF) and exit
                  $ hcxdumptool --bpfc="wlan addr3 112233445566" > filter.bpf
                  see man pcap-filter
--bpf=<file>   : input Berkeley Packet Filter (BPF) code (maximum 4096 instructions) in tcpdump decimal numbers format
                  see --help for more information

and

$ hcxdumptool --help
-----------------------
tcpdump decimal numper format:
 example: tcpdump high level compiler:
  $ tcpdump -s 1024 -y IEEE802_11_RADIO wlan addr3 112233445566 -ddd > filter.bpf
  see man pcap-filter
 example: bpf_asm low level compiler
  $ bpf_asm filter.asm | tr ',' '\n' > filter.bpf
  see https://www.kernel.org/doc/html/latest/networking/filter.html
 example: bpfc low level compiler:
  $ bpfc -f tcpdump -i filter.asm > filter.bpf
  see man bpfc
tcpdump C style format:
 example: tcpdump high level compiler:
  $ tcpdump -s 1024 -y IEEE802_11_RADIO wlan addr3 112233445566 -dd > filter.bpf
  see man pcap-filter
 example: bpfc low level compiler:
  $ bpfc -f C -i filter.asm > filter.bpf
  see man bpfc

Additional I suggest to read this:
#420

BTW:
I'll move this to discussions, because it is more a wrong usage of the BPF than an issue.

[ZerBea]

To allow undirected FRAMES too it is mandatory to add the BROADCAST MAC to the filter code "or wlan addr3 ffffffffffff" as mentioned here:
#355 (comment)

Please note:
The BPF is merciless! It is mandatory to understand how to create it. To explain everything is beyond the horizon of this discussions.
A good starting point is here:
https://www.kernel.org/doc/html/latest/networking/filter.html
https://biot.com/capstats/bpf.html

The same applies to 802.11.
A good starting point is here:
https://en.wikipedia.org/wiki/802.11_Frame_Types
https://community.cisco.com/t5/wireless-mobility-knowledge-base/802-11-frames-a-starter-guide-to-learn-wireless-sniffer-traces/ta-p/3110019

Otherwise neither hcxdumptool nor hcxpcapngtool will work as expected.

To learn how to create "a working as expected BPF" I recommend to use tshark, Wireshark or tcpdump" (hcxdumptool use the same capture filter code).
Build your filter code and apply it to one of the tools mentioned above. Now you can directly see what packets are filtered by the kernel.

[ZerBea]

The difference between tcpdump snaplen and hcxdumtool snaplen (we use a simple filter):

$ tcpdump -y IEEE802_11_RADIO wlan addr3 112233445566 -ddd
16
48 0 0 3
100 0 0 8
7 0 0 0
48 0 0 2
76 0 0 0
2 0 0 0
7 0 0 0
80 0 0 0
84 0 0 12
21 5 0 4
64 0 0 18
21 0 3 860116326
72 0 0 16
21 0 1 4386
6 0 0 262144
6 0 0 0

buffer size = 262144

$ hcxdumptool --bpfc="wlan addr3 112233445566"
48 0 0 3
100 0 0 8
7 0 0 0
48 0 0 2
76 0 0 0
2 0 0 0
7 0 0 0
80 0 0 0
84 0 0 12
21 5 0 4
64 0 0 18
21 0 3 860116326
72 0 0 16
21 0 1 4386
6 0 0 1024
6 0 0 0

buffer size = 1024!

To create a filter to be used by hcxdumptool is mandatory to add the snaplen to tcpdump:

$ tcpdump -s 1024 -y IEEE802_11_RADIO wlan addr3 112233445566 -ddd
16
48 0 0 3
100 0 0 8
7 0 0 0
48 0 0 2
76 0 0 0
2 0 0 0
7 0 0 0
80 0 0 0
84 0 0 12
21 5 0 4
64 0 0 18
21 0 3 860116326
72 0 0 16
21 0 1 4386
6 0 0 1024
6 0 0 0

buffer size = 1024!

[silan10]

So this is the steps?

Sudo tcpdump -s 1024 -y IEEE802_11_RADIO -i wlan0 wlan addr3 c4:12:f5:b0:5b:b4 -ddd > attack.bpf

Or
sudo tcpdump -i wlan0 wlan addr3 c4:12:f5:b0:5b:b4 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf

[ZerBea]

To answer your question: Both of your command lines are wrong. A BPF should be created without being a super user.
If you don't use hcxdumptool to build the filter it is mandatory to add hcxdumptools snaplen to the filter code.

802.11 has 4 addresses and the usage of this addresses depend on the frame type:
https://howiwifi.com/2020/07/13/802-11-frame-types-and-formats/

If you want to allow undirected BROADCAST frames you have to add "wlan addr3 ffffffffffff"
If you want to allow a BSSID you have to add "wlan addr3 "MAC AP".
If you want to allow frames addressed to a MAC you have to add "wlan addr1 "MAC".
If you want to allow frames coming a MAC you have to add "wlan addr2 "MAC".

Regarding your target this are the 2 possible command lines to build a filter:
using hcxdumptool:
$ hcxdumptool --bpfc="wlan addr3 c412f5b05bb4 or wlan addr3 ffffffffffff" > attack.bpf

using tcpdump:
$ tcpdump -s 1024 -y IEEE802_11_RADIO "wlan addr3 c4:12:f5:b0:5b:b4 or wlan addr3 ff:ff:ff:ff:ff:ff" -ddd > attack.bpf

Both commandlines generate identical filter code:

$ hcxdumptool --bpfc="wlan addr3 c412f5b05bb4 or wlan addr3 ffffffffffff"
48 0 0 3
100 0 0 8
7 0 0 0
48 0 0 2
76 0 0 0
2 0 0 0
7 0 0 0
80 0 0 0
84 0 0 12
21 8 0 4
64 0 0 18
21 0 2 4121975732
72 0 0 16
21 3 4 50194
21 0 3 4294967295
72 0 0 16
21 0 1 65535
6 0 0 1024
6 0 0 0

$ tcpdump -s 1024 -y IEEE802_11_RADIO "wlan addr3 c4:12:f5:b0:5b:b4 or wlan addr3 ff:ff:ff:ff:ff:ff" -ddd 
19
48 0 0 3
100 0 0 8
7 0 0 0
48 0 0 2
76 0 0 0
2 0 0 0
7 0 0 0
80 0 0 0
84 0 0 12
21 8 0 4
64 0 0 18
21 0 2 4121975732
72 0 0 16
21 3 4 50194
21 0 3 4294967295
72 0 0 16
21 0 1 65535
6 0 0 1024
6 0 0 0

with one exception:
tcpdump need the filter size in the first row (19), hcxdumptool doesn't need it (but it can handle this additional information),

Please note:
This filter is targeting the AP, only. It does not allow MAC randomized CLIENTs to connect to hcxdumptool's randomized MAC to retrieve their EAPOL M2.

[silan10]

So if this undirected proberequest frames still missing we can just ignored?
Or it mandatory

[ZerBea]

All information can be safely ignored.
It is just an additional information to improve your attack/workflow to avoid to waste GPU time.
If you are a newbie you always can run hcxdumptool/hcxtools/hashcat or JtR by default options.
As your experience grows, you can improve the recovering of a PSK by additional options:
hcxdumptool filter option
hcxtools filter options (e.g. hcxhashtool)
hashcat -a9 attack
JtR single mode attack

[silan10]

Why pmkid not captured ?
As i know AP not allow it
So i need client but my previous command dont allow client connect to hcxdumptool

[ZerBea]

The AP does not use/support PMKIDs.
https://hashcat.net/forum/thread-7717.html
https://superuser.com/questions/1547307/what-is-pmkid-why-would-even-a-router-give-away-the-pmkid-to-an-unauthorized-st

Not all APs support/use it. E.g. my test target AP is configured not to use PMKIDs (802.11r is not enabled):
#361

[silan10]

Is there any different of crack time
When you extract by hcxdumptool or airodump-ng or handshaker ?
Or is the same depend on password
Let say my password Brahim98
When i extract hash.pcapng by hcxdumptool and put it into wpa-sec or aircrack-ng
Is the same period when i extract it with airodump-ng hadh.cap

[ZerBea]

The time to recover the PSK is always the same, regardless which tool you use to get the handshake / PMKID.
But in every case, it is mandatory to make sure that you get a valid MESSAGE PAIR.

hcxdumptool is an interactive tool (interacts with the target to make sure that a valid MESSAGE PAIR has been received).

airodump-ng is a passive dumper. In case of a packet loss you'll not get a valid MESSAGE PAIR:
aircrack-ng/aircrack-ng#2470
aircrack-ng/aircrack-ng#2244
aircrack-ng/aircrack-ng#2079
aircrack-ng/aircrack-ng#1993

The same applies to kismet:
kismetwireless/kismet#419

BTW:
You should know that handshaker is running airodump-ng in background to dump the WiFi traffic.
https://github.com/d4rkcat/HandShaker/blob/master/handshaker.sh#L458
It will run into the same problems as every passive dumper in case of a packet loss due to poor reception conditions.