Hcxdumptool - How to capture one network data only?
#1
I read help for hcxdumptool, tried to find something online. But no luck.
I assume that I don't understand something in hcxdumptool --help

If I have network called randomnet

How Can I use hcxdumptool only against this network?
Reply
#2
hcxdumptool doesn't use network names (because this names are not unique).
Instead it use the BSSID (MAC) of teh AP.
How to get the MAC is descriped in --help:
Code:
--filterlist_ap=<file or MAC>      : ACCESS POINT MAC or MAC filter list
                                     format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
                                     maximum entries 256
                                     run first --do_rcascan to retrieve information about the target

--filtermode=<digit>               : user space filter mode for filter list
                                     mandatory in combination with --filterlist_ap and/or --filterlist_client
                                     affected: only outgoing traffic
                                     notice: hcxdumptool act as passive dumper and it will capture the whole traffic on the channel
                                     0: ignore filter list (default)
                                     1: use filter list as protection list
                                        do not interact with ACCESS POINTs and CLIENTs from this list
                                     2: use filter list as target list
                                        only interact with ACCESS POINTs and CLIENTs from this list
                                        not recommended, because some useful frames could be filtered out
                                     using a filter list doesn't have an affect on rca scan
                                     only for testing useful - devices to be protected should be added to BPF
                                     notice: this filter option will let hcxdumptool protect or attack a target - it is neither a capture nor a display filter

add the MAC to a list (e.g. name it filter.list
run hcxdumptool with option --filtermode=2 and --filterlist_ap=filter.list

Additional information is here:
https://www.youtube.com/watch?v=Usw0IlGbkC4
Reply
#3
(11-15-2022, 09:58 PM)ZerBea Wrote: hcxdumptool doesn't use network names (because this names are not unique).



Instead it use the BSSID (MAC) of teh AP.



How to get the MAC is descriped in --help:



Code:
--filterlist_ap=<file or MAC>      : ACCESS POINT MAC or MAC filter list



                                    format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment



                                    maximum entries 256



                                    run first --do_rcascan to retrieve information about the target







--filtermode=<digit>              : user space filter mode for filter list



                                    mandatory in combination with --filterlist_ap and/or --filterlist_client



                                    affected: only outgoing traffic



                                    notice: hcxdumptool act as passive dumper and it will capture the whole traffic on the channel



                                    0: ignore filter list (default)



                                    1: use filter list as protection list



                                        do not interact with ACCESS POINTs and CLIENTs from this list



                                    2: use filter list as target list



                                        only interact with ACCESS POINTs and CLIENTs from this list



                                        not recommended, because some useful frames could be filtered out



                                    using a filter list doesn't have an affect on rca scan



                                    only for testing useful - devices to be protected should be added to BPF



                                    notice: this filter option will let hcxdumptool protect or attack a target - it is neither a capture nor a display filter







add the MAC to a list (e.g. name it filter.list



run hcxdumptool with option --filtermode=2 and --filterlist_ap=filter.list







Additional information is here:



https://www.youtube.com/watch?v=Usw0IlGbkC4







Thank you.



I tried with --filterlist_ap but no luck.



I tried this:






hcxdumptool -i wlp0 --filterlist_ap=XXXXXXXXXXXX -o dump.pcapng --enable_status=31 --filtermode=2





I tried with --filterlist_ap=list.txt too







No luck.



The difference between filter and no filter is that without the --filterlist_ap= hcxdumptool is gathereing everything.

With the hcxdumptool --filterlist_ap= it gathers less targets.

MAC I want to target is on the list but it shows after some time.



This MAC is my home router.
Reply
#4
Ok, that makes it a little bit more clear.

hcxdumptool has three level:
1) receive (capture) everything and transmit (send attack frames) everything.
2) receive (capture) everything and filter transmitted packets only (done by filtermode and filter list options).
3) filter incoming and outgoing traffic - this is done by a Berkeley Packet Filter BPF.
My first answer belongs to level 2.

Here is the answer for level 3:
Code:
$ sudo hcxdumptool -i <interface> --do_rcascan
to get information about target MAC and operation channel of the target
$ sudo hcxdumptool -m <interface>
set interface to monitor mode
$ sudo tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf
where 11:22:33:44:55:66 is your target MAC.
run hcxdumpttool:
$hcxdumptool -i  <interface> -o dump.pcapng --enable_status=31 --bpfc=attack.bpf

Please notice:
When you convert this dump file you receive a warning, because broadcast frames are filtered out and you will loose some interesting frames.
To avoid this, you can expand the filter to:
Code:
$ sudo tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or WLAN addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf
Reply