Ok, that makes it a little bit more clear.
hcxdumptool has three level:
1) receive (capture) everything and transmit (send attack frames) everything.
2) receive (capture) everything and filter transmitted packets only (done by filtermode and filter list options).
3) filter incoming and outgoing traffic - this is done by a Berkeley Packet Filter BPF.
My first answer belongs to level 2.
Here is the answer for level 3:
Code:
$ sudo hcxdumptool -i <interface> --do_rcascan
to get information about target MAC and operation channel of the target
$ sudo hcxdumptool -m <interface>
set interface to monitor mode
$ sudo tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf
where 11:22:33:44:55:66 is your target MAC.
run hcxdumpttool:
$hcxdumptool -i <interface> -o dump.pcapng --enable_status=31 --bpfc=attack.bpf
Please notice:
When you convert this dump file you receive a warning, because broadcast frames are filtered out and you will loose some interesting frames.
To avoid this, you can expand the filter to:
Code:
$ sudo tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or WLAN addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf