Comments (3)
ZerBea
commented on July 18, 2024
hcxdumptool is not designed to be a monitoring tool that captures all frame types because this makes hcxdumptool slow.
Other tools (tsahrk/Wireshark) can do this much better.
But it is designed to work in perfect harmony with tshark and/or Wireshark. Both tools are working fine, using hcxdumptools's monitor mode. You can run them in parallel (on the same interface) to hcxdumptool.
A simple example:
$ sudo hcxdumptool -m wlp48s0f4u2u4
$ sudo hcxdumptool -i wlp48s0f4u2u4 -w hcxdumptool.pcapng & tshark -w tshark.pcapng -i wlp48s0f4u2u4
When finished:
$ sudo killall hcxdumptool
$ killall tshark
$ ls *.pcapng
hcxdumptool.pcapng tshark.pcapng
BTW:
It is also possible to use different capture and display filters on hcxdumptool and tshark/Wireshark.
On a dual core system, there is no speed impact.
from hcxdumptool.
ZerBea
commented on July 18, 2024
Suggestion is now shown in help:
$ hcxdumptool --help
hcxdumptool 6.3.2-18-g1266cf2 (C) 2023 ZeroBeat
Additional information:
-----------------------
first stop all services that take access to the interface, e.g.:
$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service
run hcxdumptool
press ctrl+c to terminate
press GPIO button to terminate
hardware modification is necessary, read more:
https://github.com/ZerBea/hcxdumptool/tree/master/docs
stop all services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface
do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
do not use virtual machines or emulators
do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)
do not use tools to change MAC (like macchanger)
do not merge (pcapng) dump files, because this destroys assigned hash values!
to store entire traffic, run <tshark -i <interface> -w allframes.pcapng> in parallel on the same interface
from hcxdumptool.
ZerBea
commented on July 18, 2024
I checked the list mentioned in your commend.
All this frames types (and some more) are captured and stored by hcxdumptool.
Frame types overview:
https://github.com/ZerBea/hcxdumptool/blob/master/include/ieee80211.h#L11
This 802.11 frames are stored to the pcapng file:
management frames:
0x00 == IEEE80211_STYPE_ASSOC_REQ
0x01 == IEEE80211_STYPE_ASSOC_RESP
0x02 == IEEE80211_STYPE_REASSOC_REQ
0x03 == IEEE80211_STYPE_REASSOC_RESP (not in your list)
0x04 == IEEE80211_STYPE_PROBE_REQ
0x05 == IEEE80211_STYPE_PROBE_RESP
0x08 == IEEE80211_STYPE_BEACON (only on first occurrence)
0x0b == IEEE80211_STYPE_AUTH
0x0d == IEEE80211_STYPE_ACTION (not in your list)
data frames:
0x20 == IEEE80211_STYPE_DATA (filtered by EAP/EAPOL)
0x28 == IEEE80211_STYPE_QOS_DATA (filtered by EAP/EAPOL)
BTW:
It doesn't make sense to handle all data frames during an attack, because it slow down the attack.
To offline decrypt the traffic, it is mandatory that an entire session (handshake and following traffic) is recorded.
That is mostly not the case if hcxdumptool moves to the next channel.
from hcxdumptool.
Related Issues (20)
- hcxdumptool new style HOT 114
- hcxdumptool new style HOT 27
- hcxdumptool ERROR and WARNING messages HOT 1
- Capturing wifi using hcxdumptools says invalid option help HOT 4
- iwlwifi info
- wlan-ipadstartstop101.pcapng HOT 1
- beware! linux-firmware has changed mt76 fw path HOT 2
- Lists (aplist, clientlist, etc) are sorted AFTER item is evicted, potentially resulting in something not LRU being dropped HOT 10
- Doubt about hcxdumptool output (Columns "P", "3" and "2") HOT 1
- possible that a certain lib is interfering with the awus036achm mt7610u drivers HOT 1
- mt7921u driver is busy: failed to transmit proberesponse HOT 5
- Inconsistencies in (de?)referencing buffers for fd_socket_tx writes (send_80211_* functions) HOT 6
- Some problems HOT 4
- hcxdumptool: invalid option -- 'o' HOT 5
- HCXDumpTool runtime error on MediaTEK MT7922 / MT7921E HOT 19
- HCXDumpTool & MediaTEK MT7922 / MT7921E (Part 2) HOT 3
- orange pi zero HOT 1
- hcxdumptool: unrecognized option 'enable_status=15' HOT 2
- Is the problem in the driver or in the operating system? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hcxdumptool.