Hi hulley.
No, the only limit is the size of your RAM (hcxpcaptool will tell you if we are running out of RAM). And that is the problem.
Handshake detection is time intensive and RAW handshake detection is very time intensive!
Time increases exponentially. That means for every M1, M2, M3, M4 and ESSID
we run threw the whole file! And caps with zeroed timestamps (typically by wpaclean converted) makes it again slower.
(EAPOL packets) * (EAPOL packets) * (unique(beacons + associationrequests + reassociationrequests + proberequestsproberesonses) * nonce-error-corections * time-error-corrections
Or for the example above: 9 * 9 * 1 * 8 * 600
If you have a merged cap or a cap containing many different ESSIDs and many EAPOL frames you should be patient.
BTW: Do you use the latest pushed version (14 hour ago - improved calculation speed by 1000%)
1. let's see how much packets are inside - we use a ryzen 1700 and the size of this cap is 302.338454 MB (the cap is a merged cap - own captures and different files from www, including deadly cleaned files):
$ hcxpcaptool 20170228.cap
start reading from 20170228.cap
summary:
--------
file name..............: 20170228.cap
file type..............: pcap 2.4
network type...........: DLT_IEEE802_11 (105)
endianess..............: little endian
read errors............: flawless
packets inside.........: 1409389
skippedpackets.........: 0
packets with FCS.......: 0
1409389 = packet count
you will see it here: xxxxx packets processed - be patient!
2. now get the best hashes:
$ time hcxpcaptool -o test.hccapx 20170228.cap
start reading from 20170228.cap
summary:
--------
file name..............: 20170228.cap
file type..............: pcap 2.4
network type...........: DLT_IEEE802_11 (105)
endianess..............: little endian
read errors............: flawless
packets inside.........: 1409389
skippedpackets.........: 0
packets with FCS.......: 0
warning................: zero value timestamps detected
WDS packets............: 14
beacons................: 398623
probe requests.........: 38459
probe responses........: 102777
association requests...: 61752
reassociation requests.: 12143
EAPOL packets..........: 789871
best handshakes........: 1735
1735 handshake(s) written to test.hccapx
real 0m29,577s
user 0m28,797s
sys 0m0,780s
3. or the raw hashes:
$ time hcxpcaptool -O test.hccapx 20170228.cap
start reading from 20170228.cap
summary:
--------
file name..............: 20170228.cap
file type..............: pcap 2.4
network type...........: DLT_IEEE802_11 (105)
endianess..............: little endian
read errors............: flawless
packets inside.........: 1409389
skippedpackets.........: 0
packets with FCS.......: 0
warning................: zero value timestamps detected
WDS packets............: 14
beacons................: 398623
probe requests.........: 38459
probe responses........: 102777
association requests...: 61752
reassociation requests.: 12143
EAPOL packets..........: 789871
raw handshakes.........: 20414
best handshakes........: 1735
20414 handshake(s) written to test.hccapx
real 0m31,066s
user 0m30,221s
sys 0m0,844s
http://wpa-sec.stanev.org/ switched to hashcat and hcxtools.
You can upload your big caps there to see how many passwords can be recovered (by the improved system) using common wordlists. Service is complete free.
Cheers
Mike
No, the only limit is the size of your RAM (hcxpcaptool will tell you if we are running out of RAM). And that is the problem.
Handshake detection is time intensive and RAW handshake detection is very time intensive!
Time increases exponentially. That means for every M1, M2, M3, M4 and ESSID
we run threw the whole file! And caps with zeroed timestamps (typically by wpaclean converted) makes it again slower.
(EAPOL packets) * (EAPOL packets) * (unique(beacons + associationrequests + reassociationrequests + proberequestsproberesonses) * nonce-error-corections * time-error-corrections
Or for the example above: 9 * 9 * 1 * 8 * 600
If you have a merged cap or a cap containing many different ESSIDs and many EAPOL frames you should be patient.
BTW: Do you use the latest pushed version (14 hour ago - improved calculation speed by 1000%)
1. let's see how much packets are inside - we use a ryzen 1700 and the size of this cap is 302.338454 MB (the cap is a merged cap - own captures and different files from www, including deadly cleaned files):
$ hcxpcaptool 20170228.cap
start reading from 20170228.cap
summary:
--------
file name..............: 20170228.cap
file type..............: pcap 2.4
network type...........: DLT_IEEE802_11 (105)
endianess..............: little endian
read errors............: flawless
packets inside.........: 1409389
skippedpackets.........: 0
packets with FCS.......: 0
1409389 = packet count
you will see it here: xxxxx packets processed - be patient!
2. now get the best hashes:
$ time hcxpcaptool -o test.hccapx 20170228.cap
start reading from 20170228.cap
summary:
--------
file name..............: 20170228.cap
file type..............: pcap 2.4
network type...........: DLT_IEEE802_11 (105)
endianess..............: little endian
read errors............: flawless
packets inside.........: 1409389
skippedpackets.........: 0
packets with FCS.......: 0
warning................: zero value timestamps detected
WDS packets............: 14
beacons................: 398623
probe requests.........: 38459
probe responses........: 102777
association requests...: 61752
reassociation requests.: 12143
EAPOL packets..........: 789871
best handshakes........: 1735
1735 handshake(s) written to test.hccapx
real 0m29,577s
user 0m28,797s
sys 0m0,780s
3. or the raw hashes:
$ time hcxpcaptool -O test.hccapx 20170228.cap
start reading from 20170228.cap
summary:
--------
file name..............: 20170228.cap
file type..............: pcap 2.4
network type...........: DLT_IEEE802_11 (105)
endianess..............: little endian
read errors............: flawless
packets inside.........: 1409389
skippedpackets.........: 0
packets with FCS.......: 0
warning................: zero value timestamps detected
WDS packets............: 14
beacons................: 398623
probe requests.........: 38459
probe responses........: 102777
association requests...: 61752
reassociation requests.: 12143
EAPOL packets..........: 789871
raw handshakes.........: 20414
best handshakes........: 1735
20414 handshake(s) written to test.hccapx
real 0m31,066s
user 0m30,221s
sys 0m0,844s
http://wpa-sec.stanev.org/ switched to hashcat and hcxtools.
You can upload your big caps there to see how many passwords can be recovered (by the improved system) using common wordlists. Service is complete free.
Cheers
Mike