hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
There is no option to set the frequency, but there are several options to work on channels and scan lists:

Channel options to set one or more channels:
Code:
-c <digit>     : set channel (1,2,3, ...)
                 default channels: 1...13
                 maximum entries: 127
                 allowed channels (depends on the device):
                 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
                 32, 34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 68, 96
                 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, 128
                 132, 134, 136, 138, 140, 142, 144, 149, 151, 153, 155, 157, 159
                 161, 165, 169, 173

Scan list options to set a scan list:
Code:
-s <digit>     : set predefined scanlist
                 0 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (default)
                 1 = 1,2,3,4,5,6,7,8,9,10,11,12,13
                 2 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165
                 3 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165
Both of this options will replace the default (and optimized) scan list.

There is also an option (-C) to retrieve by the interface supported channels (inclusive frequency and tx power):

First we retrieve the names of available interfaces:
Code:
$ hcxdumptool -I
wlan interfaces:
503eaa92e326 wlp39s0f3u1u1u2 (mt76x0u)
00e06148645e wlp39s0f3u1u1u4 (mt7601u)

The ones are detected by hcxdumptool:
Code:
$ lsusb
Bus 005 Device 008: ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
Bus 005 Device 007: ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter

Now we can retrieve the channel list, supported by each interface:
Code:
$ sudo hcxdumptool -i wlp39s0f3u1u1u2 -C
initialization...
available channels:
  1 / 2412MHz (14 dBm)
  2 / 2417MHz (14 dBm)
  3 / 2422MHz (14 dBm)
  4 / 2427MHz (14 dBm)
  5 / 2432MHz (14 dBm)
  6 / 2437MHz (14 dBm)
  7 / 2442MHz (14 dBm)
  8 / 2447MHz (14 dBm)
  9 / 2452MHz (14 dBm)
10 / 2457MHz (14 dBm)
11 / 2462MHz (14 dBm)
12 / 2467MHz (14 dBm)
13 / 2472MHz (14 dBm)
36 / 5180MHz (17 dBm)
40 / 5200MHz (17 dBm)
44 / 5220MHz (17 dBm)
48 / 5240MHz (17 dBm)
52 / 5260MHz (17 dBm)
56 / 5280MHz (17 dBm)
60 / 5300MHz (17 dBm)
64 / 5320MHz (17 dBm)
100 / 5500MHz (17 dBm)
104 / 5520MHz (17 dBm)
108 / 5540MHz (17 dBm)
112 / 5560MHz (17 dBm)
116 / 5580MHz (17 dBm)
120 / 5600MHz (17 dBm)
124 / 5620MHz (17 dBm)
128 / 5640MHz (17 dBm)
132 / 5660MHz (17 dBm)
136 / 5680MHz (17 dBm)
140 / 5700MHz (17 dBm)
149 / 5745MHz (17 dBm)
153 / 5765MHz (17 dBm)
157 / 5785MHz (17 dBm)
161 / 5805MHz (17 dBm)
165 / 5825MHz (17 dBm)

terminating...

$ sudo hcxdumptool -i wlp39s0f3u1u1u4 -C
initialization...
available channels:
  1 / 2412MHz (30 dBm)
  2 / 2417MHz (30 dBm)
  3 / 2422MHz (30 dBm)
  4 / 2427MHz (30 dBm)
  5 / 2432MHz (30 dBm)
  6 / 2437MHz (30 dBm)
  7 / 2442MHz (30 dBm)
  8 / 2447MHz (30 dBm)
  9 / 2452MHz (30 dBm)
10 / 2457MHz (30 dBm)
11 / 2462MHz (30 dBm)
12 / 2467MHz (30 dBm)
13 / 2472MHz (30 dBm)
14 / 2484MHz (30 dBm)

terminating...

Now you can run hcxdumptool using your own channel list e.g.: -c 1,6,11

It is mandatory to set the "Regulatory domain":
"The regdomain setting is often made difficult or impossible to change so that the end users do not conflict with local regulatory agencies."
Please read more here:
https://wiki.archlinux.org/index.php/Net...ory_domain
Reply
hi , zerbea, thanks, i think i cannot post my phy info here, but anyway i cannot go over channel 173 on 5 ghz and i cannot go under channel 1 on 2.4 ghz. let's make an esemple on 2.4 ghz first.

iw phy0 info

* 2397 MHz [-2] (26.0 dBm)
* 2402 MHz [-1] (26.0 dBm)
* 2412 MHz [1] (26.0 dBm)
* 2417 MHz [2] (26.0 dBm)
* 2422 MHz [3] (26.0 dBm)
* 2427 MHz [4] (26.0 dBm)
* 2432 MHz [5] (26.0 dBm)
* 2437 MHz [6] (26.0 dBm)
* 2442 MHz [7] (26.0 dBm)
* 2447 MHz [8] (26.0 dBm)
* 2452 MHz [9] (26.0 dBm)
* 2457 MHz [10] (26.0 dBm)
* 2462 MHz [11] (26.0 dBm)
* 2467 MHz [12] (26.0 dBm)
* 2472 MHz [13] (26.0 dBm)
* 2484 MHz [14] (26.0 dBm)
Reply
You have to take care about:
the channels, modes and tx power supported by the interface
and
the channels, modes and tx power allowed by Regulatory domain

Do you use a Software Defined Radio (SDR)? None of the common sold interfaces support this channels you posted because they are out of range of the oscillator.
Reply
i just patched the ath9k driver and other other info, and airodump is working
Reply
You can modify hcxdumptool to work on your patched driver, too:
here (we need int instead of uint8_t):
https://github.com/ZerBea/hcxdumptool/bl...ool.c#L132
https://github.com/ZerBea/hcxdumptool/bl...ol.c#L6432

and here to allow an expanded range:
https://github.com/ZerBea/hcxdumptool/bl...ool.c#L226

and here to retrieve the expanded range:
https://github.com/ZerBea/hcxdumptool/bl...ol.c#L6464

Please notice:
The signal become extreme crappy on the edge of the frequency range (you can verify this using a spectrum analyzer e.g.: R&SĀ®FSC3).
Reply
I pushed an update. This patch is not longer needed:
here (we need int instead of uint8_t):
https://github.com/ZerBea/hcxdumptool/bl...ool.c#L132
https://github.com/ZerBea/hcxdumptool/bl...ol.c#L6432

starting with this commit we use int instead of unit8_t:
https://github.com/ZerBea/hcxdumptool/co...ee0d43ea44
That allow us to use more than 255 channels and negative channels.

BTW:
You mentioned airodump-ng so please read this issue report:
https://github.com/aircrack-ng/aircrack-ng/issues/2184
especially that one:
https://github.com/aircrack-ng/aircrack-...-699992260

Please re-compile aircrack-ng suite without libnl support. Than check if an out of range channel is really set.

hcxdumptool doesn't use NETLINK (libnl) in favor of ioctl() system calls and it will notice you if the channel can't be set.
And I have several more "good" reasons not to use NETLINK:
https://www.quora.com/What-are-the-diffe...ls?share=1

Also you should notice that iw is also using libnl (NETLINK).
Reply
hi zerbea, thanks for that alot, i 'll try soon as possible, i need to patch tree device to try really this commits, one ap one sta, and the other one for hcxdumptool, also do you need my strange range on 5 ghz?
Reply
It would be great, if you can comment the output of hcxdumptool -C (after you modified hcxdumptool), the Regulatory Domain setting (to allow the kernel to use the expanded channels) as well as some information about the interface (VENDOR).

My HackRF one ends at 6GHz, but unfortunately the bandwidth is limited to 20MHz. My measurement equipment ends at 3GHz. All above this frequency makes it very expensive for a (retired) hobbyist.

BTW:
Your scan list (5Mhz step) looks like a spectral scan list:
https://wireless.wiki.kernel.org/en/user...ctral_scan
Reporting FFT data is a nice feature of AR92xx and AR93xx.
Reply
hi zerbea, compiled last commits, not working, some info?

but on regular channels is working
i receive an invalid channel message
Reply
Last commits only allow to add more than 255 channels and to use own channel numbers.
If you want to expand frequency range you have to modify this functions, depending on your step size (e.g. 5 MHz steps), too:
https://github.com/ZerBea/hcxdumptool/bl...ool.c#L226
https://github.com/ZerBea/hcxdumptool/bl...ol.c#L6464
I haven't added this, because it will only work on a modified firmware and a modified driver.

Here we test that the interface set the desired channel:
https://github.com/ZerBea/hcxdumptool/bl...ol.c#L5105

We set the channel:
if(ioctl(fd_socket, SIOCSIWFREQ, &pwrq) < 0) return false;
and read the channel:
if(ioctl(fd_socket, SIOCGIWFREQ, &pwrq) == 0) aktchannel = pwrq.u.freq.m;

Depending on the answer of the driver we use the new channel or we increment error count.
Reply