hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
The whole filter stuff was refactored:
Now we have filtermode (0, 1, 2) in combination with filterlist_ap (ACCESS POINTs) and filterlist_client (CLIENTs).
That is much faster than filtering ACCESS POINTs and CLIENTs running the same list.

Additional, we have a new and very fast Berkeley Packet Filter as alternative. I suggest to use this in case of protection of ACCESS POINTs and CLIENTs. Usage of Berkeley Packet Filter Code is explained in help menu and here:
https://biot.com/capstats/bpf.html
and here:
https://www.tcpdump.org/manpages/pcap-filter.7.html
and here:
https://www.tcpdump.org/manpages/tcpdump.1.html

To answer your question:
filtering command to receive transmission of ap & client
create Berkeley Packet Filter Code
$ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 -ddd > attack.bpf
than run hcxdumptool --bpfc=attack.bpf
Notice:
It is mandatory to add every ACCESS POINT and every CLIENT here (each for addr1 and addr2)!
Reply
can hcxdumptool decloak and capture handshakes from hidden ssid ?
Reply
hcxdumptool try to attack the ACCESS POINT (AP) by transmitting several requests and capture the whole traffic. That depend on the options, you selected.
If the AP respond to the requests, we retrieve the ESSID and the PMKID (if the AP support PMKID caching). The same applies, if we receive CLIENTs belonging to this AP. In that case, we will receive a M2 and/or M4 from the CLIENT (handshake).
In every other case we will not receive the ESSID and the received PMKIDs and/or EAPOL messages are useless, because hcxdumptool doesn't transmit random generated ESSIDs in the hope that one ESSID match.
Reply