1. Yes: cat test1.hccapx test2.hccapx ..... testn.hccapx > merged.hccapx
No need to remove cracked by hand - just use hashcat -m 2500 in combination with --remove
2. The one you cracked is an unauthenticated handshake. That means the client is not authorized and tries random passwords to get access to the network. You cracked one of them (M1M2). Authorized handshakes have M1M2M3M4.
AP-less attacks retrieve only M2 from a client - we do not know the real PSK, so we can't answer with M3 and will never get M4.
But nevertheless you can crack them, but it is possble that the retrieved PSK will not give you access to the network.
Therefore hcxpcaptool has the option -O to convert all(!) tries from a client.
If you crack them, you can see what PSKs the unauthorized client tries.
You can identify the message pair (M1...M4) using:
wlanhcxinfo -i yourhashfile.hccapx -p or -P (in combination with -a , -s or -e - if you like)
Keep in mind:
AP-less attacks always retrieve a valid and crackable (but sometimes not authorized) M2!!!!
No need to remove cracked by hand - just use hashcat -m 2500 in combination with --remove
2. The one you cracked is an unauthenticated handshake. That means the client is not authorized and tries random passwords to get access to the network. You cracked one of them (M1M2). Authorized handshakes have M1M2M3M4.
AP-less attacks retrieve only M2 from a client - we do not know the real PSK, so we can't answer with M3 and will never get M4.
But nevertheless you can crack them, but it is possble that the retrieved PSK will not give you access to the network.
Therefore hcxpcaptool has the option -O to convert all(!) tries from a client.
If you crack them, you can see what PSKs the unauthorized client tries.
You can identify the message pair (M1...M4) using:
wlanhcxinfo -i yourhashfile.hccapx -p or -P (in combination with -a , -s or -e - if you like)
Keep in mind:
AP-less attacks always retrieve a valid and crackable (but sometimes not authorized) M2!!!!