New hccapx format explained

[rico]

Great stuff, handshake capturing always a tricky business. I just gave cap2hccapx a quick spin but didn't have much luck either I'm afraid. cap2hccapx seems to identify incomplete handshakes as good?

Example from a .cap file I found, filtering on EAPOL:
t1. Wireshark reports Message 2 of 4 (airodump-ng picks up no handshake)
t2. Wireshark reports Message 4 of 4 (airodump-ng picks up no handshake)
t3. Wireshark reports Message 3&4 of 4 (airodump-ng pick up no handshake)
t4. Wireshark reports Message 1,2,3&4 of 4 (airodump-ng reports WPA handshake found)

So three failures and one success. Then "aircrack-ng -J" picks up the singular complete handshake "WPA (1 handshake)" as expected.

However, cap2hccapx reports 4 handshakes found:

Networks detected: 1

[*]BSSID=d0:3f:0f:d5:03:25 ESSID=TST260FF (Length: 8)
 --> STA=60:02:b4:e2:5c:a6, Authenticated=1, Replay Counter=0
 --> STA=60:02:b4:e2:5c:a6, Authenticated=0, Replay Counter=0
 --> STA=60:02:b4:e2:5c:a6, Authenticated=0, Replay Counter=0
 --> STA=60:02:b4:e2:5c:a6, Authenticated=1, Replay Counter=0

Written 4 WPA Handshakes to: tst260ff


Latest beta fails to read hccapx file:

Code:

hashcat-3.30+103>hashcat64.exe -a 3 -m 2500 --session=tst260ff -o tst260ff_found.txt --outfile-format=3 tst260ff.hccapx --custom-charset1=35679 08?1?d?d?d?d?d?d?d
hashcat (v3.30-103-g65d5921) starting...

<SNIP old CUDA version warnings>
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 760, 512/2048 MB allocatable, 6MCU

OpenCL Platform #2: Intel(R) Corporation
========================================
* Device #2: Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz, skipped

Hashfile 'tst260ff.hccapx': Invalid hccapx eapol size
Hashfile 'tst260ff.hccapx': Invalid hccapx signature
Hashfile 'tst260ff.hccapx': Invalid hccapx signature
No hashes loaded

Started: Mon Feb 06 21:54:32 2017
Stopped: Mon Feb 06 21:54:33 2017