hcxdumptool is able to run different attack vectors. And the client-less (PMKID) attack vector is only one of them:
ap-less:
Only one packet (M2) from a client required. You do not need to hunt for access points. Just wait until the clients come to you. Have patience - some clients will give you their PSK in the clear (hcxpcaptool -E -I -U)!
This attack vector is the most important one, because clients are weak! Try to annoy them!
You can run --nonce-error-corrections=0 on that handshake!
client-less:
Only one packet (M1 - PMKID) from an access point is required.
You have to hunt for access points (usually access points don't move). It's hard to annoy an access point.
You need to have a good antenna (high gain)!
m4 - retry:
After receipt of a single M4, M1, M2, M3 are requested as long as we didn't successfull captured an authorized handshake (M2/M3).
A client and an access point are required for this attack vector! You need to have a good antenna!
deauthentication (old school):
Disconnect a client from the network and capture the following authentication.
A client and an access point are required for this attack vector!
You need to have a good antenna (high gain)!
Attack vector will not work if PMF is enabled
Possible reason why you didn't receive a PMKID:
No access point with activated roaming is in range.
But so what:
A client is in range - play with him!
ap-less:
Only one packet (M2) from a client required. You do not need to hunt for access points. Just wait until the clients come to you. Have patience - some clients will give you their PSK in the clear (hcxpcaptool -E -I -U)!
This attack vector is the most important one, because clients are weak! Try to annoy them!
You can run --nonce-error-corrections=0 on that handshake!
client-less:
Only one packet (M1 - PMKID) from an access point is required.
You have to hunt for access points (usually access points don't move). It's hard to annoy an access point.
You need to have a good antenna (high gain)!
m4 - retry:
After receipt of a single M4, M1, M2, M3 are requested as long as we didn't successfull captured an authorized handshake (M2/M3).
A client and an access point are required for this attack vector! You need to have a good antenna!
deauthentication (old school):
Disconnect a client from the network and capture the following authentication.
A client and an access point are required for this attack vector!
You need to have a good antenna (high gain)!
Attack vector will not work if PMF is enabled
Possible reason why you didn't receive a PMKID:
No access point with activated roaming is in range.
But so what:
A client is in range - play with him!