Keep connection alive while running hcxdumptool
#1
Hi,

To run hcxdumptool you need to stop services that access wireless interfaces (like network monitor and wpa supplicant) and so you lose all connectivity to the box.

I was wondering if it is possible to keep a wireless connection alive, using a second wireless interface, while running hcxdumptool. 

I tested to restart the services while capturing and it seems to work fine, interface 2 capturing and interface 1 connected. However, if I was remote connected I couldn't restart it, as remote session would be lost when services got stopped.

Any ideas on how to do that?

Thanks in advance
Reply
#2
Edit NetworkManager config to ignore the device that hcxdumptool use:
https://wiki.archlinux.org/title/NetworkManager
explained in chapter 7.7 Ignore specific devices

use BPF code to ignore the second device which is used for remote control and the router to which it is connected
Code:
--bpfc=<file>                      : input kernel space Berkeley Packet Filter (BPF) code
                                     affected: incoming and outgoing traffic - that include rca scan
                                     steps to create a BPF (it only has to be done once):
                                      set hcxdumptool monitormode
                                       $ hcxdumptool -m <interface>
                                      create BPF to protect a MAC
                                       $ tcpdump -i <interface> not wlan addr3 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
                                       where addr3 protect ACCESS POINTs and addr2 protect CLIENTs
                                       recommended to protect own devices

run hcxdumptool (with options --bpfc and -c where you have to exclude the channel of the remote connection) and ignore the warning that NetworkManager is alive.
Reply
#3
(10-20-2022, 10:40 AM)ZerBea Wrote: Edit NetworkManager config to ignore the device that hcxdumptool use:
https://wiki.archlinux.org/title/NetworkManager
explained in chapter 7.7 Ignore specific devices

use BPF code to ignore the second device which is used for remote control and the router to which it is connected
Code:
--bpfc=<file>                      : input kernel space Berkeley Packet Filter (BPF) code
                                    affected: incoming and outgoing traffic - that include rca scan
                                    steps to create a BPF (it only has to be done once):
                                      set hcxdumptool monitormode
                                      $ hcxdumptool -m <interface>
                                      create BPF to protect a MAC
                                      $ tcpdump -i <interface> not wlan addr3 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
                                      where addr3 protect ACCESS POINTs and addr2 protect CLIENTs
                                      recommended to protect own devices

run hcxdumptool (with options --bpfc and -c where you have to exclude the channel of the remote connection) and ignore the warning that NetworkManager is alive.

Thanks, for the tool and for the help. It worked!
Reply
#4
You're welcome.

BTW:
hcxdumtool (and hcxlabtool series) and hcxtools provide a solution for nearly every purpose, either by cascading the options or by cascading the tools itself or both.
Reply