ZerBea
commented
2 months ago Running your filter: "wlan addr1 c4:12:f5:b0:5b:b4 or wlan addr2 c4:12:f5:b0:5b:b4 or wlan addr3 c4:12:f5:b0:5b:b4" only frames addressed to this MAC and coming from this MAC are allowed. All other frames are filtered out. That include undirected PROBEREQUEST frames. Additional this filter does not allow CLIENTs to connect to hcxdumptool (especially when MAC randomization is used by the CLIENT.
BTW: You should know that if you run tcpdump to build a filter the filter code is designed to be used by tcpdump. Ti improve performance, hcxdumptool use a different snap len.
I suggest to read
$ hcxdumptool -h
--bpfc=<filter>: compile Berkeley Packet Filter (BPF) and exit
$ hcxdumptool --bpfc="wlan addr3 112233445566" > filter.bpf
see man pcap-filter
--bpf=<file> : input Berkeley Packet Filter (BPF) code (maximum 4096 instructions) in tcpdump decimal numbers format
see --help for more informationand
$ hcxdumptool --help
-----------------------
tcpdump decimal numper format:
example: tcpdump high level compiler:
$ tcpdump -s 1024 -y IEEE802_11_RADIO wlan addr3 112233445566 -ddd > filter.bpf
see man pcap-filter
example: bpf_asm low level compiler
$ bpf_asm filter.asm | tr ',' '\n' > filter.bpf
see https://www.kernel.org/doc/html/latest/networking/filter.html
example: bpfc low level compiler:
$ bpfc -f tcpdump -i filter.asm > filter.bpf
see man bpfc
tcpdump C style format:
example: tcpdump high level compiler:
$ tcpdump -s 1024 -y IEEE802_11_RADIO wlan addr3 112233445566 -dd > filter.bpf
see man pcap-filter
example: bpfc low level compiler:
$ bpfc -f C -i filter.asm > filter.bpf
see man bpfcAdditional I suggest to read this: https://github.com/ZerBea/hcxdumptool/discussions/420
BTW: I'll move this to discussions, because it is more a wrong usage of the BPF than an issue.
this is following step i used
`sudo hcxdumptool -m wlan0
sudo tcpdump -i wlan0 wlan addr1 c4:12:f5:b0:5b:b4 or wlan addr2 c4:12:f5:b0:5b:b4 or wlan addr3 c4:12:f5:b0:5b:b4 -ddd > atac.bpf
sudo hcxdumptool -i wlan0 -c 6a --rds=1 -F --bpf=atac.bpf -w helo.pcapng
sudo hcxpcapngtool helo.pcapng -o helo.hc22000`
`-------------------- file name................................: helo.pcapng version (pcapng).........................: 1.0 operating system.........................: Linux 5.18.0-kali5-amd64 application..............................: hcxdumptool 6.3.4-14-g3693e77 interface name...........................: wlan0 interface vendor.........................: 2cd05a openSSL version..........................: 1.0 weak candidate...........................: 12345678 MAC ACCESS POINT.........................: 980ee44c78a9 (incremented on every new client) MAC CLIENT...............................: 980ee451cc23 REPLAYCOUNT..............................: 64748 ANONCE...................................: 1b92b1b897055e19ee08dd3be84a3c9d8388c3a83f67fc591df0f20bb579ce4a SNONCE...................................: 0bb09373fc0ccebc1c04918f091df857b0b5415bae1d00eb617a2c5b55f196d1 timestamp minimum (GMT)..................: 30.04.2024 09:54:20 timestamp maximum (GMT)..................: 30.04.2024 10:18:26 duration of the dump tool (minutes)......: 24 used capture interfaces..................: 1 link layer header type...................: DLT_IEEE802_11_RADIO (127) endianness (capture system)..............: little endian packets inside...........................: 14 frames with correct FCS..................: 14 packets received on 2.4 GHz..............: 14 ESSID (total unique).....................: 1 PROBERESPONSE (total)....................: 1 AUTHENTICATION (total)...................: 1 AUTHENTICATION (OPEN SYSTEM).............: 1 EAPOL messages (total)...................: 12 EAPOL RSN messages.......................: 12 EAPOLTIME gap (measured maximum msec)....: 836128 EAPOL ANONCE error corrections (NC)......: not detected EAPOL M1 messages (total)................: 9 EAPOL M2 messages (total)................: 1 EAPOL M3 messages (total)................: 1 EAPOL M4 messages (total)................: 1 EAPOL M4 messages (zeroed NONCE).........: 1 EAPOL pairs (total)......................: 2 EAPOL pairs (best).......................: 1 EAPOL pairs written to 22000 hash file...: 1 (RC checked) EAPOL M12E2 (challenge)..................: 1
frequency statistics from radiotap header (frequency: received packets)
2432: 1 2437: 13
Information: missing frames! This dump file does not contain undirected proberequest frames. An undirected proberequest may contain information about the PSK. It always happens if the capture file was cleaned or it could happen if filter options are used during capturing. That makes it hard to recover the PSK.
session summary
processed pcapng files................: 1
`