Provided by: hcxdumptool_5.1.7-1_amd64 
NAME
hcxdumptool - hcx tools set-N
DESCRIPTION
hcxdumptool 5.1.7 (C) 2019 ZeroBeat usage : hcxdumptool <options>
press the switch to terminate hcxdumptool hardware modification is necessary, read
more: https://github.com/ZerBea/hcxdumptool/tree/master/docs
example: hcxdumptool -o output.pcapng -i wlp39s0f3u4u5 -t 5 --enable_status=3
do not run hcxdumptool on logical interfaces (monx, wlanxmon) do not use
hcxdumptool in combination with other 3rd party tools, which take access to the
interface
options: -i <interface> : interface (monitor mode will be enabled by hcxdumptool)
can also be done manually: ip link set <interface> down iw dev <interface> set type
monitor ip link set <interface> up
-o <dump file> : output file in pcapng format
management frames and EAP/EAPOL frames including radiotap header
(LINKTYPE_IEEE802_11_RADIOTAP)
-O <dump file> : output file in pcapng format
unencrypted IPv4 and IPv6 frames including radiotap header
(LINKTYPE_IEEE802_11_RADIOTAP)
-W <dump file> : output file in pcapng format
encrypted WEP frames including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c <digit> : set scan list (1,2,3,...)
default scan list: 1, 3, 5, 7, 9, 11, 13, 2, 4, 6, 8, 10, 12, 13 maximum entries:
127 allowed channels (depends on the device): 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11,
12, 13, 14 32, 34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 68,
96 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, 128 132,
134, 136, 138, 140, 142, 144, 149, 151, 153, 155, 157, 159 161, 165, 169, 173
-t <seconds> : stay time on channel before hopping to the next channel
default: 5 seconds
-T <digit> : set maximum ERROR count (hcxdumptool terminates when the value is
reached)
errorcount will increase by one, if send packet (tx=xxx) > 3*incomming packets
(rx=xxx) default: 100 errors
-E <digit> : EAPOL timeout
default: 150000 = 1 second value depends on channel assignment
-D <digit> : deauthentication interval
default: 10 (every 10 beacons) the target beacon interval is used as trigger
-A <digit> : ap attack interval
default: 10 (every 10 beacons) the target beacon interval is used as trigger
-I : show wlan interfaces and quit -C : show available channels
and quit
if no channels are available, interface is pobably in use or doesn't support
monitor mode
-h : show this help -v : show version
--filterlist=<file> : mac filter list
format: 112233445566 + comment
maximum line length 255, maximum entries 64 run first --do_rcascan to retrieve
information about the target
--filtermode=<digit> : mode for filter list
1: use filter list as protection list (default) in transmission branch
receive everything, interact with all APs and CLIENTs in range, except(!) the ones
from the filter list
2: use filter list as target list in transmission branch
receive everything, only interact with APs and CLIENTs in range, from the filter
list
3: use filter list as target list in receiving branch
only receive APs and CLIENTs in range, from the filter list
--silent : do not transmit!
hcxdumptool is acting like a passive dumper
--disable_active_scan : do not transmit proberequests to BROADCAST using a
BROADCAST ESSID
do not transmit BROADCAST beacons
affected: ap-less and client-less attacks
--disable_deauthentications : disable transmitting deauthentications
affected: connections between client an access point
deauthentication attacks will not work against protected management frames
--give_up_deauthentications=<digit>: disable transmitting deauthentications after n tries
default: 100 tries (minimum: 4)
affected: connections between client an access point deauthentication attacks will
not work against protected management frames
--disable_disassociations : disable transmitting disassociations
affected: retry (EAPOL 4/4 - M4) attack
--disable_ap_attacks : disable attacks on single access points
affected: client-less (PMKID) attack
--give_up_ap_attacks=<digit> : disable transmitting directed proberequests after n
tries
default: 100 tries (minimum: 4)
affected: client-less attack deauthentication attacks will not work against
protected management frames
--disable_client_attacks : disable attacks on single clients
affected: ap-less (EAPOL 2/4 - M2) attack
--do_rcascan : show radio channel assignment (scan for target access
points)
this can be used to test if packet injection is working
if no access point responds, packet injection is probably not working you should
disable auto scrolling in your terminal settings use this collected data for the
target list
--ap_mac=<mac_addr> : use this MAC address for access point as start MAC
format = 112233445566
format = 112233000000 (to set only OUI) format = 445566 (to set only NIC) last
octed is set to unicast and global unique (OUI forced) warning: do not use a MAC of
an existing access point in your range
--station_mac=<mac_addr> : use this MAC address for station
format = 112233445566
format = 112233000000 (to set only OUI) format = 445566 (to set only NIC)
--station_vendor=<digit> : use this VENDOR information for station
0: transmit no VENDOR information (default)
1: Broadcom 2: Apple-Broadcom 3: Sonos 4: Netgear-Broadcom 5: Wilibox Deliberant
Group LLC 6: Cisco Systems, Inc
--use_gpsd : use GPSD to retrieve position
add latitude, longitude and altitude to every pcapng frame
retrieve GPS information with hcxpcaptool (-g) or tshark: tshark -r
capturefile.pcapng -Y frame.comment -T fields -E header=y -e frame.number -e
frame.time -e wlan.sa -e frame.comment
--save_rcascan=<file> : output rca scan list to file when hcxdumptool
terminated --save_rcascan_raw=<file> : output file in pcapng format
unfiltered packets
including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
--enable_status=<digit> : enable status messages
bitmask:
1: EAPOL 2: PROBEREQUEST/PROBERESPONSE 4: AUTHENTICATON 8: ASSOCIATION
16: BEACON
example: 3 = show EAPOL and PROBEREQUEST/PROBERESPONSE
--poweroff : once hcxdumptool terminated, power off system
--gpio_button=<digit> : Raspberry Pi GPIO pin number of button (2...27)
default = GPIO not in use
--gpio_statusled=<digit> : Raspberry Pi GPIO number of status LED (2...27)
default = GPIO not in use
--ignore_warning : ignore warnings
try this if you get some driver warnings
do not report issues
--help : show this help --version :
show version
If hcxdumptool captured your password from WiFi traffic, you should check all your devices
immediately! It is not a good idea to merge a lot of small cap/pcap/pcapng files to a big
one! It is much better to run gzip to cmpress the files. Wireshark, tshark and
hcxpcaptool will understand this.
SEE ALSO
The full documentation for hcxdumptool is maintained as a Texinfo manual. If the info and
hcxdumptool programs are properly installed at your site, the command
info hcxdumptool
should give you access to the complete manual.