Oh fantastic, I didn't realize that it would try and hack from all possible Mx combinations. I also just want to say that I absolutely LOVE your hcxtools! Thanks for that 
Which brings me to a follow up question of sorts regarding wlandump-ng. I noticed in reading through the source that you seem to be replying to probes with probe responses. Is this in an attempt to capture at least two of these handshakes by pretending to be an AP? I also am trying to parse out the use of the -b flag which reports to respond to the last 10 probe requests with beacon frames. Is this in an attempt to do the same? I guess in short I'm wondering if wlandump-ng has the capacity to grab handshakes from probing devices alone, even when they aren't anywhere near their legitimate AP.
Which brings me to a follow up question of sorts regarding wlandump-ng. I noticed in reading through the source that you seem to be replying to probes with probe responses. Is this in an attempt to capture at least two of these handshakes by pretending to be an AP? I also am trying to parse out the use of the -b flag which reports to respond to the last 10 probe requests with beacon frames. Is this in an attempt to do the same? I guess in short I'm wondering if wlandump-ng has the capacity to grab handshakes from probing devices alone, even when they aren't anywhere near their legitimate AP.