The format of a 22000 hashline is:
Your bash commands to count CLIENT and AP MACs are ok. You can use bash commands as well as hcxhashtool to work on 22000 lines. And you can run hcxhashtool to verify the results of your script.
The discrepancy between hccapx converted with hcxpcaptool and 22000 converted with hcxpcapngtool is ok, too, because hcxpcangtool is running a better dupe detection. If you need all possible EAPOL message pair combinations you can use --all to retrieve them.
Also you should know, that hcxdumptool use randomized MACs as well as real MACs from received CLIENTs and received APs. It is a pretty good stealth feature to prevent counter measures against hcxdumptool, but will falsify the result of your count. Also keep in mind that filtering of CLIENTs is mostly useless if the CLIENT use randomized MACs.
Additional hcxdumptool v6.0.2 has an option to run BPF code, which is much faster then the old filter modes.
BTW:
hcxdumptool v6.0.2 add ROGUE to received PMKIDs and/or M1M2 message pairs if they are the result of a "CLIENT-LESS" or AP-LESS attack vector.
Code:
SIGNATURE*TYPE*PMKID/MIC*MACAP*MACSTA*ESSID*ANONCE*EAPOL*MESSAGEPAIR
SIGNATURE = "WPA"
TYPE = 01 for PMKID, 02 for EAPOL, others to follow
PMKID/MIC = PMKID if TYPE==01, MIC if TYPE==02
MACAP = MAC of AP
MACSTA = MAC of CLIENT
ESSID = ESSID
ANONCE = ANONCE
EAPOL = EAPOL (SNONCE is in here as well as all EAPOL data)
MESSAGEPAIR = Bitmask:
0: MP info (https://hashcat.net/wiki/doku.php?id=hccapx)
1: MP info (https://hashcat.net/wiki/doku.php?id=hccapx)
2: MP info (https://hashcat.net/wiki/doku.php?id=hccapx)
3: x (unused)
4: ap-less attack (set to 1) - no nonce-error-corrections necessary
5: LE router detected (set to 1) - nonce-error-corrections only for LE necessary
6: BE router detected (set to 1) - nonce-error-corrections only for BE necessary
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-correctionsYour bash commands to count CLIENT and AP MACs are ok. You can use bash commands as well as hcxhashtool to work on 22000 lines. And you can run hcxhashtool to verify the results of your script.
The discrepancy between hccapx converted with hcxpcaptool and 22000 converted with hcxpcapngtool is ok, too, because hcxpcangtool is running a better dupe detection. If you need all possible EAPOL message pair combinations you can use --all to retrieve them.
Also you should know, that hcxdumptool use randomized MACs as well as real MACs from received CLIENTs and received APs. It is a pretty good stealth feature to prevent counter measures against hcxdumptool, but will falsify the result of your count. Also keep in mind that filtering of CLIENTs is mostly useless if the CLIENT use randomized MACs.
Additional hcxdumptool v6.0.2 has an option to run BPF code, which is much faster then the old filter modes.
BTW:
hcxdumptool v6.0.2 add ROGUE to received PMKIDs and/or M1M2 message pairs if they are the result of a "CLIENT-LESS" or AP-LESS attack vector.