File: changelog

package info (click to toggle)
hcxdumptool 6.0.5-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 768 kB
  • sloc: ansic: 7,980; sh: 131; makefile: 72; xml: 4
file content (1396 lines) | stat: -rw-r--r-- 56,374 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
05.04.2020
==========
release v 6.0.5
security fix: increase error count and terminate hcxdumptool if channel was changed by a third party tool
After transmitting a request, hcxdumptool expect an answer on the same channel.
If the channel was changes by a third party tool, hcxdumptool will never get this answer and transmit again, again and again.
This will jam the channel.
https://forum.hashkiller.io/index.php?threads/ap-less-attack-with-hcxtools.21036/page-4#post-237403


04.04.2020
==========
release v 6.0.4


27.03.2020
==========
hcxdumptool: ERROR_MAX not longer hard coded
--error_max=<digit>                : terminate hcxdumptool if error maximum reached
                                     default: 100 errors


26.03.2020
==========
Some drivers / firmwares provide only limited monitor functions instead of full packet injection capabilities.
hcxdumptool: added packet injection test
--check_injection                  : run packet injection test to determine that driver support full packet injection\n"


18.03.2020
==========
release v 6.0.3
removed debug message "OS not supported" from Makefile


14.03.2020
==========
release v 6.0.2
complete rewrite from scratch
the Raspberry Pi is a little bit too slow, so we have to reduce status output. Most CLIENTs running randomized MACs. They are no longer displayed.
improved IE tag walk similar to hcxpcapngtool
improved attack vector
added new options to improve attack vector against hardened targets
added more information to help menu
added option to import Berkeley packet Filter code fom tcpdump as alternative to apfilterlist and clientfilterlist
make less noise on the the channel (receive more, transmit less)
WLAN REASON CODE (deauthentication) no longer hardcoded
moved to git versioning on non releases

$ hcxdumptool -h
hcxdumptool 6.0.2  (C) 2020 ZeroBeat
usage  : hcxdumptool <options>
         press the switch to terminate hcxdumptool
         hardware modification is necessary, read more:
         https://github.com/ZerBea/hcxdumptool/tree/master/docs
example: hcxdumptool -o output.pcapng -i wlp39s0f3u4u5 -t 5 --enable_status=3
         do not run hcxdumptool on logical (NETLINK) interfaces (monx, wlanxmon)
         do not use hcxdumptool in combination with other 3rd party tools, which take access to the interface

short options:
-i <interface> : interface (monitor mode will be enabled by hcxdumptool)
                 can also be done manually:
                 ip link set <interface> down
                 iw dev <interface> set type monitor
                 ip link set <interface> up
                 WARNING: iw use NETLINK (libnl) and hcxdumptool will not work on pure NETLINK interfaces
-o <dump file> : output file in pcapng format
                 including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-f <frames>    : frames to save
                 bitmask:
                  0: clear default values
                  1: MANAGEMENT frames (default)
                  2: EAP and EAPOL frames (default)
                  4: IPV4 frames
                  8: IPV6 frames
                 16: WEP encrypted frames
                 32: WPA encrypted frames
                 to clear default values use -f 0 first, followed by desired frame type (e.g. -f 0 -f 4)
-c <digit>     : set scan list (1,2,3, ...)
                 default scan list: 1...13
                 maximum entries: 127
                 allowed channels (depends on the device):
                 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
                 32, 34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 68, 96
                 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, 128
                 132, 134, 136, 138, 140, 142, 144, 149, 151, 153, 155, 157, 159
                 161, 165, 169, 173
-t <seconds>   : stay time on channel before hopping to the next channel
                 default 4 seconds
-m <interface> : set monitor mode by ioctl() system call and quit
-I             : show WLAN interfaces and quit
-C             : show available channels and quit
                 if no channels are available, interface is probably in use or doesn't support monitor mode

long options:
--do_rcascan                       : show radio channel assignment (scan for target access points)
                                     this can be used to test that ioctl() calls and packet injection is working
                                     if you got no HIT, packet injection is possible not working
                                     also it can be used to get information about the target
                                     and to determine that the target is in range
                                     use this mode to collect data for the filter list
                                     run this mode at least for 2 minutes
                                     to save all received raw packets use option -o
--reason_code=<digit>              : deauthentication reason code
                                      recommended codes:
                                      1 WLAN_REASON_UNSPECIFIED
                                      2 WLAN_REASON_PREV_AUTH_NOT_VALID
                                      4 WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY
                                      5 WLAN_REASON_DISASSOC_AP_BUSY
                                      6 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA
                                      7 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA (default)
                                      9 WLAN_REASON_STA_REQ_ASSOC_WITHOUT_AUTH
--disable_client_attacks           : do not attack clients
                                     affected: ap-less (EAPOL 2/4 - M2) attack
--disable_ap_attacks               : do not attack access points
                                     affected: connected clients and client-less (PMKID) attack
--stop_ap_attacks=<digit>          : stop attacks against ACCESS POINTs if <n> BEACONs received
                                     default: stop after 600 BEACONs
--resume_ap_attacks=<digit>        : resume attacks against ACCESS POINTs after <n> BEACONs received
                                     default: 864000 BEACONs
--disable_deauthentication         : do not send deauthentication or disassociation frames
                                     affected: conntected clients
--silent                           : do not transmit!
                                     hcxdumptool is acting like a passive dumper
                                     expect possible packet loss
--eapoltimeout=<digit>             : set EAPOL TIMEOUT (microseconds)
                                     default: 20000 usec
--bpfc=<file>                      : input Berkeley Packet Filter (BPF) code
                                     steps to create a BPF (it only has to be done once):
                                      set hcxdumptool monitormode
                                       $ hcxumptool -m <interface>
                                      create BPF to protect a MAC
                                       $ tcpdump -i <interface> not wlan addr1 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
                                       recommended to protect own devices
                                      or create BPF to attack a MAC
                                       $ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 -ddd > attack.bpf
                                       not recommended, because important pre-authentication frames will be lost due to MAC randomization of the CLIENTs
                                      use the BPF code
                                       $ hcxumptool -i <interface> --bpfc=attack.bpf ...
                                     see man pcap-filter for a list of all filter options
--filterlist_ap=<file>             : ACCESS POINT MAC filter list
                                     format: 112233445566 + comment
                                     maximum entries 256
                                     run first --do_rcascan to retrieve information about the target
--filterlist_client=<file>         : CLIENT MAC filter list
                                     format: 112233445566 # comment
                                     maximum entries 256
                                     due to MAC randomization of the CLIENT, it does not always work!
--filtermode=<digit>               : mode for filter list
                                     mandatory in combination with --filterlist_ap and/or --filterlist_client
                                     0: ignore filter list (default)
                                     1: use filter list as protection list
                                        do not interact with ACCESS POINTs and CLIENTs from this list
                                     2: use filter list as target list
                                        only interact with ACCESS POINTs and CLIENTs from this list
                                        not recommended, because important pre-authentication frames will be lost due to MAC randomization of the CLIENTs
--weakcandidate=<password>         : use this pre shared key (8...63 characters) for weak candidate alert
                                     will be saved to pcapng to inform hcxpcaptool
                                     default: 
--mac_ap                           : use this MAC as ACCESS POINT MAC instead of a randomized one
                                     format: 112233445566
--mac_client                       : use this MAC as CLIENT MAC instead of a randomized one
                                     format: 112233445566
--essidlist=<file>                 : transmit beacons from this ESSID list
                                     maximum entries: 256 ESSIDs
--active_beacon                    : transmit beacon once every 200000 usec
                                     affected: ap-less
--flood_beacon                     : transmit beacon on every received beacon
                                     affected: ap-less
--infinity                         : prevent that a CLIENT can establish a connection to an assigned ACCESS POINT
                                     affected: ACCESS POINTs and CLIENTs
--use_gps_device=<device>          : use GPS device
                                     /dev/ttyACM0, /dev/ttyUSB0, ...
                                     NMEA 0183 $GPGGA $GPGGA
--use_gpsd                         : use GPSD device
                                     NMEA 0183 $GPGGA, $GPRMC
--nmea=<file>                      : save track to file
                                     format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL
                                     to convert it to gpx, use GPSBabel:
                                     gpsbabel -i nmea -f hcxdumptool.nmea -o gpx -F file.gpx
                                     to display the track, open file.gpx with viking
--gpio_button=<digit>              : Raspberry Pi GPIO pin number of button (2...27)
                                     default = GPIO not in use
--gpio_statusled=<digit>           : Raspberry Pi GPIO number of status LED (2...27)
                                     default = GPIO not in use
--tot=<digit>                      : enable timeout timer in minutes (minimum = 2 minutes)
                                   : hcxdumptool will terminate if tot reached (EXIT code = 2)
--reboot                           : once hcxdumptool terminated, reboot system
--poweroff                         : once hcxdumptool terminated, power off system
--enable_status=<digit>            : enable real-time display (waterfall)
                                     only incomming traffic
                                     only once at the first occurrence due to MAC randomization of CLIENTs
                                     bitmask:
                                        0: no status (default)
                                        1: EAP and EAPOL
                                        2: ASSOCIATION and REASSOCIATION
                                        4: AUTHENTICATION
                                        8: BEACON and PROBERESPONSE
                                       16: ROGUE AP
                                       32: GPS (once a minute)
                                       64: internal status (once a minute)
                                      128: run as server
                                      256: run as client
                                     characters < 0x20 && > 0x7e are replaced by .
                                     example: show everything but don't run as server or client (1+2+4+8+16 = 31)
                                              show only EAP and EAPOL and ASSOCIATION and REASSOCIATION (1+2 = 3)
--server_port=<digit>              : define port for server status output (1...65535)
                                   : default IP: 224.0.0.255
                                   : default port: 60123
--client_port=<digit>              : define port for client status read (1...65535)
                                   : default IP: 224.0.0.255
                                   : default port: 60123
--check_driver                     : run several tests to determine that driver support all(!) required ioctl() system calls
--help                             : show this help
--version                          : show version

Run hcxdumptool -i interface --do_rcascan for at least 30 seconds, before you start an attack!
Do not edit, merge or convert this pcapng files, because it will remove optional comment fields!
It is much better to run gzip to compress the files. Wireshark, tshark and hcxpcapngtool will understand this.
If hcxdumptool captured your password from WiFi traffic, you should check all your devices immediately!
If you use GPS, make sure GPS device is inserted and has a GPS FIX, before you start hcxdumptool!


06.03.2020
==========
complete rewrite from scratch
the Raspberry Pi is a little bit too slow, so we have to reduce status output. Most CLIENTs running randomized MACs. They are no longer displayed.
improved IE tag walk similar to hcxpcapngtool
improved attack vector
added new options to improve attack vector against hardened targets
added more information to help menu
added option to import Berkeley packet Filter code fom tcpdump as alternative to apfilterlist and clientfilterlist
make less noise on the the channel (receive more, transmit less)
WLAN REASON CODE (deauthentication) no longer hardcoded
moved to git versioning on non releases


29.01.2020
==========
moved to v6.0.1
removed options to set userdefined MAC_AP and/or MAC_CLIENT, because they make hcxdumptool's stealth capability ineffective
improved handling of association/reassociation frames
improved handling of null/powersave frames
added counter for PMKID/EAPOL frames
handle EAP request/response frames
improved IE tag walk similar to hcxpcapngtool
fixed cipher suite and AKM suite handling
handle wrong FCS
reduce pcapng size
fixed internal counters
allow mixed attack vector PSK/PSK256
handle PMKID in reassociationrequest


11.12.2019
==========
moved to v6.0.0
hcxdumptool: complete rewrite from scratch
             filterlist splitted (APs, CLIENTs), entries increased upt to 256 each list:
             --filterlist_ap
             --filterlist_client
             improved real time display:
              driver information and firmware information (if available)
              detailed information about PMKID and MESSAGE PAIR)
              allow more than one option (--enable_status)
                 0: no status (default)
                 1: EAPOL
                 2: PROBE REQUEST/PROBE RESPONSE
                 4: AUTHENTICATON
                 8: ASSOCIATION/REASSOCIATION
                16: BEACON
                32: GPS (once a minute)
                64: internal status
               128: send status to client
             choose pcapng frames to save (-f) using option -o
             improved rca_scan:
              0: no real time display
              1: show only access points in range (default)
              2: show only access points not range
              3: show all access points
             improved GPS handling:
              read GPS information directly from device
              --use_gps_device=<device>
              or us GPSD
              --use_gpsd 
              use full standard NMEA raw sentence $GPGGA, $GPRMC, $GPGWL
              this version need hcxpcaptool v6.0.0 to convert GPS information or gpsbabel
              gpsbabel  -i nmea -f nmea.txt -o gpx -F test.gpx
              then open test.gpx with viking (layer -> waypoint -> BSSID) 
             ignore M4 if SNONCE is zeroed
             ignore PMKID if zeroed
             improved handling of radiatapheader on ath9k_htc driver
             new option codes:
              ENTERPRISE NUMBER        0x2a, 0xce, 0x46, 0xa1
              MAGIC NUMBER             0x2a, 0xce, 0x46, 0xa1, 0x79, 0xa0, 0x72, 0x33,
                                       0x83, 0x37, 0x27, 0xab, 0x59, 0x33, 0xb3, 0x62,
                                       0x45, 0x37, 0x11, 0x47, 0xa7, 0xcf, 0x32, 0x7f,
                                       0x8d, 0x69, 0x80, 0xc0, 0x89, 0x5e, 0x5e, 0x98
              OPTIONCODE_MACMYORIG     0xf29a (6 byte)
              OPTIONCODE_MACMYAP       0xf29b (6 byte)
              OPTIONCODE_RC            0xf29c (8 byte)
              OPTIONCODE_ANONCE        0xf29d (32 byte)
              OPTIONCODE_MACMYSTA      0xf29e (6 byte)
              OPTIONCODE_SNONCE        0xf29f (32 byte)
              OPTIONCODE_WEAKCANDIDATE 0xf2a0 (32 byte)
              OPTIONCODE_GPS           0xf2a1 (max 128 byte)
             removed weak candidate check, because it leads to many, many unauthorized MP:M1M2

hcxpioff: new options --tot, --poweroff, --reboot
--tot=<digit>  : enable timeout timer in minutes (minimum = 2 minutes)
               : hcxpioff will terminate if tot reached
--reboot       : once hcxpioff terminated, reboot system


20.09.2019
==========
hcxdumptool: added pcapng custom block
             we store all custom information inside this block

list of used pcapng option codes:
#define OPTIONCODE_MACMYORIG		0xf29a
#define OPTIONCODE_MACMYAP		0xf29b
#define OPTIONCODE_RC			0xf29c
#define OPTIONCODE_ANONCE		0xf29d
#define OPTIONCODE_MACMYSTA		0xf29e
#define OPTIONCODE_SNONCE		0xf29f
#define OPTIONCODE_WEAKCANDIDATE	0xf2a0


18.09.2019
==========
hcxdumptool: added new option --weak_candidate
             added weak candidate detection on PMKID and WPA1
             weak candidate is no longer "hard coded"
---weak_candidate=<password>        : use this password (8...63 characters) for weak candidate alert
                                     default: 00000000
                                     affected: client-less attack

list of used pcapng option codes:
#define OPTIONCODE_MACMYAP		62107
#define OPTIONCODE_RC			62108
#define OPTIONCODE_ANONCE		62109
#define OPTIONCODE_MACMYSTA		62110
#define OPTIONCODE_SNONCE		62111
#define OPTIONCODE_WEAKCANDIDATE	62112


17.09.2019
==========
hcxdumptool: added weak password check
             high experimental, only on WPA2 QOS
             new dependency: lib crypto (openssl)


07.09.2019
==========
hcxdumptool: added new options

--reactive_beacon                  : send internal/external beacon on every received proberequest
                                     affected: ap-less
--flood_beacon=<digit>             : transmit internal/external beacon after every <x> received management packet
                                     affected: ap-less


05.09.2019
==========
hcxdumptool: added new options (feature request: https://github.com/ZerBea/hcxdumptool/issues/70)

--disable_internal_beacons         : do not transmit beacons using received ESSIDs
                                     default: transmit this kind of beacon once on channel change or every five seconds
                                     affected: ap-less and reactive_beacon, flood_beacon
--use_external_beaconlist=<file>   : transmit beacons from this list
                                     maximum ESSID length 32, maximum entries 4095
                                     default: transmit this kind of beacon once on channel change or every five seconds
                                     affected: ap-less and reactive_beacon, flood_beacon


28.08.2019
==========
moved to v5.2.2


02.09.2019
==========
hcxdumptool : added bind() ll.sll_pkttype = PACKET_OTHERHOST | PACKET_OUTGOING
              added setsockopt() r.mr_type = PACKET_MR_PROMISC

now dmesg will show when device entered promiscuous mode
during hcxdumptool initialization:
[ 6313.657830] device wlp3s0f0u11u1 entered promiscuous mode

and when it left promiscuous mode when hcxdumptool terminated:
[ 6313.735833] device wlp3s0f0u11u1 left promiscuous mode


01.09.2019
==========
hcxdumptool     : print additional information about interfering services
first_steps.txt : added quickstart guide to docs


28.08.2019
==========
moved to v5.2.1


25.08.2019
==========
hcxdumptool: removed option --ignore_warning (no longer needed)
             hcxdumptool forces to set monitor mode running ioctl(SIOCGIWMODE) IW_MODE_MONITOR
             if that doesn't work on first try, try it again and/or
             do monitor mode manually:
             ip link set <interface> down
             iw dev <interface> set type monitor
             ip link set <interface> up

warning:     on some drivers rtlXXXX netlink will not notice that we use forced ioctl() system calls
             in that case iw dev wlp3s0f0u11u4 will show you that the "netlink part" is still managed
             Interface wlp3s0f0u11u4
             ifindex 11
             wdev 0x800000001
             addr 70:f1:1c:27:ae:ec
             type managed
             wiphy 8
             txpower 13.00 dBm


19.08.2019
==========
moved to v5.2.0


18.08.2019
==========
hcxdumptool: print ESSID on status 1


15.08.2019
==========
hcxdumptool: added server - client status output (only local networkes)
--server_port=<digit>              : define port for server status output (1...65535)
                                   : default IP: 224.0.0.255
--client_port=<digit>              : define port for client status read (1...65535)
                                   : default IP: 224.0.0.255

example:
on client machine run hcxdumptool with option --client_port=12345
$ hcxdumptool -i <interface> -o test.pcapng --enable_status=1 --client_port=12345

on caputure machine run hcxdumptool with option --server_port=12345
$ hcxdumptool -i <interface> -o test.pcapng --enable_status=1 --server_port=12345


13.08.2019
==========
hcxdumptool: added new option --check_driver
--check_driver      : run several tests to determine that driver support all(!) required system calls

If everything is fine, result should look like this:
$ sudo hcxdumptool -i wlp3s0f0u10u4 --check_driver
driver tests passed - all required ioctl() system calls are supported by driver

If not, hcxdumptool will show which test failed:
$ sudo hcxdumptool -i wlp3s0f0u10u5 --check_driver
ioctl(SIOCGIFFLAGS) failed: No such device
ioctl(SIOCGIWMODE) failed: No such device
ioctl(SIOCSIFFLAGS) failed: No such device
ioctl(SIOCSIWMODE) - IW_MODE_MONITOR failed: No such device
ioctl(SIOCGIWMODE) failed: No such device
ioctl(SIOCGIWMODE) - IW_MODE_MONITOR failed
ioctl(SIOCSIFFLAGS) -IFF_UP failed: No such device
ioctl(SIOCGIFFLAGS) failed: No such device
ioctl(SIOCGIFFLAGS) - IFF_UP | IFF_RUNNING | IFF_BROADCAST failed
ioctl(SIOCGIFINDEX) failed: No such device
ioctl(SIOCETHTOOL) - ETHTOOL_GPERMADDR failed: No such device
ioctl(SIOCSIWFREQ) - IW_FREQ_FIXED failed: No such device
it looks like this interface/driver isn't suitable for hcxdumptool
possible reasons:
wrong interface selected
interface is blocked by another tool
driver doesn't support required ioctl() system calls


12.08.2019
==========
hcxdumptool: a crappy filter list is not longer a reason to terminate initialization


11.08.2019
==========
hcxdumptool: added new options --tot and --reboot  
--tot=<digit>                      : enable timeout timer in minutes (minimum = 2 minutes)
                                   : hcxdumptool will terminate if tot reached (EXIT code = 2)
--reboot                           : once hcxdumptool terminated, reboot system

hcxdumptool return values:
0 = every thing is fine
1 = error occured
2 = tot reached


23.07.2019
==========
hcxdumptool: moved from usleep() to nanosleep()
hcxpioff: moved from usleep() to nanosleep()


17.07.2019
==========
added some additional information which ioctl() command isn't supported by driver
added warning on option --do_rcascan if packet injection fails (driver doesn't support
full packet injection) after 20 seconds

Remarks:
nl80211/cfg80211/mac80211 doesn't use use ioctl() calls, they use netlink.
hcxdumptool use ioctl() calls and will not work on netlink.
That is the case, if ioctl(SIOCGIWMODE) or ioctl(SIOCSIWMODE) calls failed!

Read more here:
https://www.quora.com/What-are-the-differences-between-netlink-sockets-and-ioctl-calls


30.06.2019
==========
increased maximum filter list entries from 64 up to 255
this will have a price tag, because hcxdumptool's respond time increases.


25.06.2019
==========
detect Raspberry Pi 4


23.06.2019
==========
moved to v 5.1.7
hcxdumptool: improved help
             fixed pcpng option header


12.06.2019
==========
hcxdumptool: ignore more warnings if --ignore_warning is selcted
             do not report issues if you run this option!!!


29.05.2019
==========
hcxdumptool moved to v 5.1.5


19.05.2019
==========
hcxdumptool: activated option --ignore warning
--ignore_warning                   : ignore warnings
                                     try this if you get some driver warnings
                                     do not report issues


16.04.2019
==========
updated wiki device and README.md.
This adapters are working fine, running kernel 4.19, 4.20 and 5.0:
EDIMAX EW-7711UAN  ID 7392:7710 Edimax Technology Co., Ltd
ALLNET ALL-WA0150N ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
TENDA W311U+       ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
LogiLink WL0151    ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
regardles of the xhci issue.


14.04.2019
==========
removed all device names from README.md, because VENDORS often change chipsets or driver errors occur:
v1 of a device is working fine, while v2 doesn't work
device A, running driver A is working fine, while device B running driver A doesn't work
driver doesn't support monitor mode
driver support monitor mode, but doesn't support packet injection
Examples here:
https://bugzilla.kernel.org/show_bug.cgi?id=202241
https://bugzilla.kernel.org/show_bug.cgi?id=202243
https://bugzilla.kernel.org/show_bug.cgi?id=202541

To find a working device, I recommend to read wikidevi:
https://wikidevi.com/


02.04.2019
==========
hcxdumptool now use this radiotap header:

static const uint8_t hdradiotap[] =
{
0x00, 0x00, // radiotap version + pad byte
0x0e, 0x00, // radiotap header length
0x06, 0x8c, 0x00, 0x00, // bitmap
0x00, // flags
0x02, // rate
0x14, // tx power
0x01, // antenna
0x08, 0x00 // tx flags
#define HDRRT_SIZE sizeof(hdradiotap)
};

read more about radiotap header here:
https://www.kernel.org/doc/Documentation/networking/mac80211-injection.txt


header is working with:
ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter

removed "USB ID 7392:a812 Edimax Technology Co., Ltd" from "known as working device list"
because this driver is not working with the radiotap header.


30.03.2019
==========
hcxdumptool: added new option --silent
--silent : do not transmit!
           hcxdumptool is acting like a passive dumper

added RTL8187. Removed the wron devices from the list (only RT3070 ia affected)
* USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter (ALFA AWUS036H)
* USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter


29.03.2019
==========
added cflag DEBUG
if compiled with DEBUG, hcxdumptool show raw packets and raw GSP data, directly received from the device

removed ALFA AWUS036NH from the "known as workinging list", because the device doesn't work
any longer, running kernel 5.0.


28.03.2019
==========
removed devices from "known working" list:
* USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter (ALFA AWUS036H)
* USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter
because they are not working running kernel 5.0


27.03.2019
==========
removed wiringPi dependency
now we are running "bare metal" - complete GPIO stuff moved to hcxdumptool and hcxpioff
do not use wiringPi in combination with hcxdumptool and/or hcxpioff
Makefile: removed DOGPIOSUPPORT
hcxdumptool: changed options wiringPi options to GPIO options
--gpio_button=<digit>              : Raspberry Pi GPIO pin number of button (2...27)
                                     default = GPIO not in use
--gpio_statusled=<digit>           : Raspberry Pi GPIO number of status LED (2...27)
                                     default = GPIO not in use

hcxpioff: changed options wiringPi options to GPIO options
--gpio_button=<digit>              : Raspberry Pi GPIO pin number of button (2...27)
                                     default = GPIO not in use
--gpio_statusled=<digit>           : Raspberry Pi GPIO number of status LED (2...27)
                                     default = GPIO not in use

The GPIO is disabled on default. If you like to activate GPIO support you must do
the hardware modifactions as described here: doc/gpiowait.odg
and set the options according to your modification.
You can choose every GPIO pin, as long as you use a pull down resistor to ground. 
Raspberry model should be detected by automatic and according to the revision we use:
GPIO mem 0x20000000 for A, B, A+, B+, and Zero, Zero W(H)
GPIO mem 0x3F000000 for 2B, 3B, 3A+, 3B+
compute modules (CMx) are not supported.


20.03.2019
==========
hcxdumptool: GPIO pins are no longer hard coded!
--wpi_button=<digit>    : wiringPi number of of button (0...31, Raspberry Pi A and B: 0 .. 16)
                          default = 7
--wpi_statusled=<digit> : wiringPi number of status LED (0...31, Raspberry Pi A and B: 0 .. 16)
                          default = 0


19.03.2019
==========
hcxpioff: refactored - GPIO pins are no longer hard coded!
--wpi_button=<digit>    : wiringPi number of of button (0...31, Raspberry Pi A and B: 0 .. 16)
                          default = 7
--wpi_statusled=<digit> : wiringPi number of status LED (0...31, Raspberry Pi A and B: 0 .. 16)
                          default = 0
--help                  : show this help
--version               : show version


16.03.2019
==========
added man page hcxdumptool.1
removed device from list: 
USB ID 7392:a812 Edimax Technology Co., Ltd (Edimax AC600 USB / Manufacturer: Realtek)
because the driver from here: https://github.com/aircrack-ng/rtl8812au
is no longer working on kernel 5.0


09.03.2019
==========
hcxdumptool moved to v 5.1.4

hcxdumptool: added new option:
--ignore_warning                   : hcxdumptool will not terminate if other services take access on the device
                                   : warning: expect problems if hcxdumptool tries to change channels

From now on, hcxdumptool will not terminate during the initalization
if another service take access on the interface.
Expect problems and do not report issues related to this option!!!!

From now on, hcxdumptool will also show channel and frequency (when running option -C)
  1 / 2412MHz (20 dBm)
  2 / 2417MHz (20 dBm)
  3 / 2422MHz (20 dBm)
  4 / 2427MHz (20 dBm)
  5 / 2432MHz (20 dBm)
  6 / 2437MHz (20 dBm)
  7 / 2442MHz (20 dBm)
  8 / 2447MHz (20 dBm)
  9 / 2452MHz (20 dBm)
 10 / 2457MHz (20 dBm)
 11 / 2462MHz (20 dBm)
 12 / 2467MHz (20 dBm)
 13 / 2472MHz (20 dBm)


09.03.2019
==========
hcxdumptool: added improved warning message
Now hcxdumptool print the error message received from the driver inside the brackets
$ hcxdumptool -i wlp3s0f0u1 -c 14
initialization...
warning: unable to set channel 14 (Invalid argument) - removed this channel from scan list

In this case the user tried to set channel 14. The driver doesn't support this
and responds with Invalid argument 


07.03.2019
==========
hcxdumptool: added debug code in main packet loop [processpackets()]
to print raw GPS data, received from GPSD:
/*
			printf("\ndebug: %s\n", gpsddata);
*/
uncomment this before you run make to retrieve this values.


06.03.2019
==========
hcxdumptool: added GPS date and GPS time to status and pcapng comment field.

$ sudo hcxdumptool -i wlp3s0f0u1 --use_gpsd -o test.pcapng
initialization...
connecting to GPSD...
waiting up to 5 seconds to retrieve first position
GPSD activated

start capturing (stop with ctrl+c)
GPS LATITUDE.............: 49.126403
GPS LONGITUDE............: 4.626175
GPS ALTITUDE.............: 129.500000
GPS DATE.................: 06.03.2019
GPS TIME.................: 21:52:41
INTERFACE................: wlp3s0f0u1
ERRORMAX.................: 100 errors
FILTERLIST...............: 0 entries
MAC CLIENT...............: f04f7c89dabb
MAC ACCESS POINT.........: 980ee432604d (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 61455
ANONCE...................: 182972399cd2e65deb7941601cca14b644681c092dcf6f704935c7f3d2eaceea

INFO: cha=11, rx=7080, rx(dropped)=1676, tx=408, powned=10, err=0, lat=49.126342, lon=4.626268, alt=129.500000, gpsdate=06.03.2019, gpstime=22:01:55^C
terminated...

$ tshark -r test.pcapng-0 -Y frame.comment -T fields -E header=y -e frame.number -e frame.time -e wlan.sa -e frame.comment
172	Mar  6, 2019 23:01:48.793212000 CET	1a:f8:7c:91:24:a3	lat:49.126337,lon:4.626268,alt:129.500000,date:06.03.2019,time:22:01:48


05.03.2019
==========
hcxdumptool: removed general info about tx-power - now we use iw style to show tx-power/channel
hcxdumptool -i <interface> -C
initialization...
available channels:
1 (20 dBm)
2 (20 dBm)
3 (20 dBm)
...
132 (26 dBm)
136 (26 dBm)
140 (26 dBm)
149 (13 dBm)
153 (13 dBm)
157 (13 dBm)
161 (13 dBm)
165 (13 dBm)


26.02.2019
==========
hcxdumptool moved to version 5.1.3 due several bug fixes and improved rcascan status output


18.02.2019
==========
release hcxdumptool v 5.1.2 due to serveral bugfixes


02.02.2019
==========
release hcxdumptool v 5.1.1


20.01.2019
==========
hcxdumptool:
added new MT76 device: "TP-LINK Archer Archer T2U"
working with kernel: 4.19, 4.20 (some issues), 5.0
read more here:
https://github.com/ZerBea/hcxdumptool/issues/42
https://bugzilla.kernel.org/show_bug.cgi?id=202241
https://bugzilla.kernel.org/show_bug.cgi?id=202243


11.01.2019
==========
hcxdudmptool:
From now on, we assume that a packet is outgoing, if
dBm Antenne Signal is absent.


08.01.2019
==========
hcxdudmptool and mac80211_hwsim
mac80211_hwsim is a Linux kernel module that can be used to simulate
arbitrary number of IEEE 802.11 radios for mac80211. It can be used to
test hcxdumptool:
load module:
$ sudo modprobe mac80211_hwsim

run hcxdumptool to retrieve informations about the interface:
$ hcxdumptool -I
wlan interfaces:
020000000000 wlan0 (mac80211_hwsim)
020000000100 wlan1 (mac80211_hwsim)

bring monitor interface up:
$ sudo sudo ip link set hwsim0 up

run hcxdumptool:
$ sudo hcxdumptool -i wlan0
initialization...

start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0
ERRORMAX.................: 100 errors
FILTERLIST...............: 0 entries
MAC CLIENT...............: c8aacc9c01ec
MAC ACCESS POINT.........: 580943000000 (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 62263
ANONCE...................: 513282ebb604e6e10c450d6c3eaa6428d118b54abeef4672be3ef700052305d5

INFO: cha=11, rx=0, rx(dropped)=0, tx=120, powned=0, err=0

run wireshark on wlan0 or hwsim0 to monitor hcxdumptool output.
do not forget to remove mac80211_hwsim if the module is not longer needed!

read more here:
https://www.kernel.org/doc/readme/Documentation-networking-mac80211_hwsim-README


04.01.2019
==========
hcxdumptool - changed flash time:
LED flashes every 5 seconds = everything is fine
LED stays on = no signal received during the last past five seconds
hcxdumptool - ignore double outgoing packets (rth->it_present == 0)


03.01.2019
==========
hcxdumptool: changed flash time (5 times longer on ERROR)
hcxpioff: changed flash time


20.12.2018
==========
improved detection of broken driver
from now on GPIO LED blinks twice every 5 seconds
- if a possbile driver issue is detected
- if no packets received during the last past 5 seconds

another indicator is that the incomming packetcounter (rx=xxxx)
doesn't increase

or dmesg show this error:
[65786.808078] ieee80211 phy2: rt2x00queue_flush_queue: Warning - Queue 14 failed to flush
[65824.174119] ieee80211 phy2: rt2x00queue_flush_queue: Warning - Queue 14 failed to flush
[67801.029527] ------------[ cut here ]------------

it seems to be a kernel issue that hcxdumptool isn't able to handle, automatically:
https://bbs.archlinux.org/viewtopic.php?id=237028
https://bugs.openwrt.org/index.php?do=details&task_id=929&opened=169&status%5B0%5D=
https://community.spiceworks.com/topic/2132263-ubuntu-16-04-wifi-disconnects-randomly
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1750226
https://www.raspberrypi.org/forums/viewtopic.php?t=206815

workaround:
1) get driver information
$ hcxdumptool -I
wlan interfaces:
7cdd90xxxxxx wlp3s0f0u2 (rt2800usb)

2) remove module
$ modprobe -r rt2800usb

3) load module
$ modprobe rt2800usb


18.12.2018
==========
added new option to set station MAC address
--station_mac=<mac_addr>           : use this MAC address for station
                                     format = 112233445566
                                     format = 112233000000  (to set only OUI)
                                     format = 445566 (to set only NIC)

added new option to set access point MAC address
--ap_mac=<mac_addr>                : use this MAC address for access point as start MAC
                                     format = 112233445566
                                     format = 112233000000  (to set only OUI)
                                     format = 445566 (to set only NIC)
                                     warning: do not use a MAC of an existing access point in your range

improved detection of broken driver
set default ERRORMAX to 100
added option to set ERRORMAX
-T <digit>     : set maximum ERRROR count (hcxdumptool terminates when the value is reached)
                 default: 100 errors

Remarks:
errorcount will increase by one, if send packet (tx=xxx) > 3*incomming packets (rx=xxx)


15.12.2018
==========
improved random generator (now seeded with and adapter mac address) 
Raspberry Pi: improved handling of GPIO switch


07.12.2018
==========
restore interface settings after -C
improved help menu
-more informations about monitor mode
-more informations about packet injection
monitor mode and packet injection must be supported by the driver,
otherwise hcxdumptool will not work.


05.12.2018
==========
moved to v 5.1.0 (according to hashcat)


04.12.2018
==========
added new option:
-C             : show available channels and quit


27.11.2018
==========
added new option:
--poweroff                         : once hcxdumptool finished, power off system


26.11.2018
==========
several big endian fixes
switched to version 5.0.1


07.10.2018
==========
added new option filter mode 3:
--filterlist=<file>                : mac filter list
                                     format: 112233445566 + comment
                                     maximum line lenght 255, maximum entries 64
--filtermode=<digit>               : mode for filter list
                                     1: use filter list as protection list (default) in transmission branch
                                        receive everything, interact with all APs and CLIENTs in range,
                                        except(!) the ones from the filter list
                                     2: use filter list as target list in transmission branch
                                        receive everything, only interact with APs and CLIENTs in range,
                                        from the filter list
                                     3: use filter list as target list in receiving branch
                                        only receive APs and CLIENTs in range,
                                        from the filter list


30.10.2018
==========
moved to version 5.0.0


05.10.2018
==========
added more error messages
fixed small bug in error count on channel change failure


04.10.2018
==========
show GPS position (if activated) in status line (refresh every 5 seconds)
fixed broken status display on rcascan
increased speed of rcascan
fixed error handling if selected channels not supported by driver
if option -t is not set, skip empty channels after one second 
improved scan list
fixed some static var


01.10.2018
==========
changed order of channels in default scan list:
1, 9, 6, 3, 11, 7, 1, 10, 6, 8, 11, 4, 1, 12, 6, 2, 11, 5, 13


27.09.2018
==========
added GPSD support (stored as comment in pcapng file)
--use_gpsd                         : use GPSD to retrieve position
                                     add latitude, longitude and altitude to every pcapng frame
device must be supported by GPSD:
http://www.catb.org/gpsd/hardware.html
(tested using: AktivePilot JENTRO BT-GPS-8)

Retrieve GPS information with:
$ tshark -r filename.pcapng -Y frame.comment -T fields -E header=y -e frame.number -e frame.time -e wlan.sa -e frame.comment


write mac_ap to pcapng SHB
write mac_sta to pcapng SHB
SHB optioncodes:
#define OPTIONCODE_MACMYAP	62107
#define OPTIONCODE_RC		62108
#define OPTIONCODE_ANONCE	62109
#define OPTIONCODE_MACMYSTA	62110


16.09.2018
==========
show warning if NetworkManager and/or wpa_supplicant is running


15.09.2018
==========
added Cisco Systems, Inc VENDOR information
--station_vendor=<digit>           : use this VENDOR information for station
                                     0: transmit no VENDOR information (default)
                                     1: Broadcom
                                     2: Apple-Broadcom
                                     3: Sonos
                                     4: Netgear-Broadcom
                                     5: Wilibox Deliberant Group LLC
                                     6: Cisco Systems, Inc


11.09.2018
==========
You can “uncomment a line” in a configuration file
by removing the # at the start of the line.
Or, to “comment out” a line, add a # character
to the start of the line. 

001122334455 myap
# aabbccddeeff ignore this mac
112233445566 second ap
# this is may comment


05.09.2018
==========
added Netgear Broadcom VENDOR information
added Wilibox Deliberant Group LLC VENDOR information


04.09.2018
==========
improved rcascan (show time and access points which hide their ESSID)
prepare detection of PMF
refactored access point handling
handle 4096 access points simultaneously
refactored client handling
handle 4096 clients simultaneously
speed up retrieving PMKIDs (< 1 minute)
attack access points which hide their ESSID
increased filter list line length
increased filter list maximum entries
added option to show beacons in status output:
--enable_status=<digit>            : enable status messages
                                     bitmask:
                                      1: EAPOL
                                      2: PROBEREQUEST/PROBERESPONSE
                                      4: AUTHENTICATON
                                      8: ASSOCIATION
                                     16: BEACON

added option to choose station VENDOR information:
--station_chipset=<digit>          : use this VENDOR information for station
                                     0: transmit no VENDOR information (default)
                                     1: Broadcom
                                     2: Apple-Broadcom
                                     3: Sonos


30.08.2018
==========
iw/ip functionality added!
now hcxdumptool will set monitor mode and bring up interface!
previous interface settings will be restored, when hcxdumptool terminated


19.08.2018
==========
parse SAE authentication


19.08.2018
==========
added radio assignment scan
--do_rcascan                       : show radio channel assignment (scan for target access points)
--save_rcascan=<file>              : output rca scan list to file when hcxdumptool terminated
--save_rcascan_raw=<file>          : output file in pcapngformat
                                     unfiltered packets
                                     including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)


17.08.2018
==========
detect NETWORK EAP authentication system
transmit BROADCAST beacon


16.08.2018
==========
From now on we store open system authentications to pcapng
only if they have have a vendor specific field.
we are no longer interested in standard open system authentications (payload len = 6)


changed some default values:

-D <digit>     : deauthentication interval
                 default: 10 (every 10 beacons)
                 the target beacon interval is used as trigger
-A <digit>     : ap attack interval
                 default: 10 (every 10 beacons)
--give_up_deauthentications=<digit>: disable transmitting deauthentications after n tries
                                     default: 100 tries (minimum: 4)
                                     affected: connections between client an access point
                                     deauthentication attacks will not work against protected management frames
--give_up_ap_attacks=<digit>       : disable transmitting directed proberequests after n tries
                                     default: 100 tries (minimum: 4)
                                     affected: client-less attack
                                     deauthentication attacks will not work against protected management frames



13.08.2018
==========
increased some attack values:
--give_up_deauthentications=<digit>: disable transmitting deauthentications after n tries
                                     default: 100 tries (minimum: 4)
                                     affected: connections between client an access point
                                     deauthentication attacks will not work against protected management frames
--give_up_ap_attacks=<digit>       : disable transmitting directed proberequests after n tries
                                     default: 100 tries (minimum: 4)


07.08.2018
==========
moved to 4.2.1
added communication between hcxdumptool and hcxpcaptool via pcapng option fields:
62108 for REPLAYCOUNT uint64_t
62109 for ANONCE uint8_t[32]

enabled hardware handshake instead of software handshake
changed beavior auf status:
--enable_status=<digit>            : enables status messages
                                     bitmask:
                                     1: EAPOL
                                     2: PROBEREQUEST/PROBERESPONSE
                                     4: AUTHENTICATON
                                     8: ASSOCIATION
Now we use a bitmask to deliver status messages.


06.08.2018
==========
write ISB (Interface Statistic Block) at the end of a cpature


04.08.2018
==========
addet new option (--disable-active_scan) to hcxdumptool
--disable_active_scan: do not transmit proberequests to BROADCAST using a BROADCAST ESSID


04.08.2018
==========
release hcxdumptool 4.2.0
complete refactored:
-various new options
-measurement of EAPOL timeout
-full support for hashcat hashmodes -m 16800 and 16801
-now default format is pcapng


$ ./hcxdumptool-bleeding --help
hcxdumptool 4.2.0 (C) 2018 ZeroBeat
usage  : hcxdumptool <options>
example: hcxdumptool -o output.pcapng -i wlp39s0f3u4u5 -t 5 --enable_status

options:
-i <interface> : interface (monitor mode must be enabled)
                 ip link set <interface> down
                 iw dev <interface> set type monitor
                 ip link set <interface> up
-o <dump file> : output file in pcapngformat
                 management frames and EAP/EAPOL frames
                 including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-O <dump file> : output file in pcapngformat
                 unencrypted IPv4 and IPv6 frames
                 including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-W <dump file> : output file in pcapngformat
                 encrypted WEP frames
                 including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c <digit>     : set scanlist  (1,2,3,...)
                 default scanlist: 1, 3, 5, 7, 9, 11, 13, 2, 4, 6, 8, 10, 12
                 maximum entries: 127
                 allowed channels:
                 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
                 34, 36, 38, 40, 42, 44, 46, 48, 52, 56, 58, 60, 62, 64
                 100, 104, 108, 112, 116, 120, 124, 128, 132,
                 136, 140, 144, 147, 149, 151, 153, 155, 157
                 161, 165, 167, 169, 184, 188, 192, 196, 200, 204, 208, 212, 216
-t <seconds>   : stay time on channel before hopping to the next channel
                 default: 5 seconds
-E <digit>     : EAPOL timeout
                 default: 100000 = 1 second
                 value depends on channel assignment
-D <digit>     : deauthentication interval
                 default: 20 (every 20 beacons)
                 the target beacon interval is used as trigger
-A <digit>     : ap attack interval
                 default: 20 (every 20 beacons)
                 the target beacon interval is used as trigger
-I             : show suitable wlan interfaces and quit
-h             : show this help
-v             : show version

--filterlist=<file>                : mac filter list
                                     format: 112233445566 + comment
                                     maximum line lenght 128, maximum entries 32
--filtermode=<digit>               : mode for filter list
                                     1: use filter list as protection list (default)
                                     2: use filter list as target list
--disable_deauthentications:         disable transmitting deauthentications
                                     affected: connections between client an access point
                                     deauthentication attacks will not work against protected management frames
--give_up_deauthentications=<digit>: disable transmitting deauthentications after n tries
                                     default: 10 tries (minimum: 4)
                                     affected: connections between client an access point
                                     deauthentication attacks will not work against protected management frames
--disable_disassociations          : disable transmitting disassociations
                                     affected: retry (EAPOL 4/4 - M4) attack
--disable_ap_attacks               : disable attacks on single access points
                                     affected: client-less (PMKID) attack
--give_up_ap_attacks=<digit>       : disable transmitting directed proberequests after n tries
                                     default: 10 tries (minimum: 4)
                                     affected: client-less attack
                                     deauthentication attacks will not work against protected management frames
--disable_client_attacks           : disable attacks on single clients points
                                     affected: ap-less (EAPOL 2/4 - M2) attack
--enable_status                    : enable status messages
--help                             : show this help
--version                          : show version



01.08.2018
==========
moved some stuff from hcxtools to hcxdumptool repository
prepare complete refactoring!


04.03.2018
==========
hcxdumptool: added new option -W
-W <dump file> : WEP encrypted packets output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)


04.03.2018
==========
hcxdumptool again complete refactored:


02.03.2018
==========
hcxdumptool is complete refactored:
- improved scan engine
- improved authentication engine (incl. Radio Measurement, and NULL frame detection)
- dropped timer
- use threads for LED and channel switch
- use only one file descriptor for raw socket operations
- working on Intel Corporation Centrino Ultimate-N 6300 (rev 3e) WiFi adapter (kernel >= 4.15)
- working on Alfa AWUS036NH, Alfa AWUS036NHA
- working on Alfa AWUS036ACH (driver: https://github.com/kimocoder/rtl8812au)
- more channels allowed (depends on installed wireless regulatory domain)
- simple usage: hcxdumptool -i <interface> -o dumpfile.pcap -t 5
  interface (real interface - no monX) must be in monitor - all services/programs with access to the interface must be stopped! 
- new format of blacklist
- and more...

reported to run on Gentoo
https://github.com/ZerBea/hcxdumptool_bleeding_testing/issues/2#issuecomment-369256915

reported to run on OpenWRT/LEDE
https://github.com/ZerBea/hcxdumptool_bleeding_testing/issues/3#issuecomment-369756725

reported to run with Intel Corporation Centrino Ultimate-N 6300 (rev 3e)
https://github.com/ZerBea/hcxdumptool_bleeding_testing/issues/2#issuecomment-369259800

$ hcxdumptool -h
hcxdumptool 4.1.0 (C) 2018 ZeroBeat
usage:
hcxdumptool <options>

options:
-i <interface> : interface (monitor mode must be eanabled)
                 ip link set <interface> down
                 iw dev <interface> set type monitor
                 ip link set <interface> up
-o <dump file> : output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-O <dump file> : ip based traffic output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c <digit>     : set scanlist  (1,2,3,... / default = default scanlist)
                 default scanlist: 1, 3, 5, 7, 9, 11, 13, 2, 4, 6, 8, 10, 12
                 allowed channels:
                 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
                 36, 40, 44, 48, 52, 56, 60, 64
                 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 147, 151, 155, 167
-t <seconds>   : stay time on channel before hopping to the next channel
                 default = 5 seconds
-T <maxerrors> : terminate after <x> maximal errors
               : default: 1000000
-D             : do not transmit deauthentications or disassociations
-R             : do not transmit requests
-A             : do not respond to requests from clients
-B <file>      : blacklist (do not deauthenticate clients from this hosts)
                 format = mac_ap:mac_sta:ESSID
                 112233445566:aabbccddeeff:networkname (max. 32 chars)
-P             : enable poweroff
-s             : enable status messages
-I             : show suitable wlan interfaces and quit
-h             : show this help
-v             : show version


27.02.2018
==========
Now recommendations since we are run into heavy problems with latest drivers and operating systems
* Operatingsystem: archlinux (strict), Kernel >= 4.14 (strict)
* Raspberry Pi A, B, A+, B+ (Recommended: A+ = very low power consumption or B+), but notebooks and desktops could work, too.
* GPIO hardware mod recommended

Supported adapters (strict)
* USB ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
* USB ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
* USB ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
* USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter
* USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter
 

25.02.2018
==========
- initial start of this repository
- added hcxdumptool
- added hcxpioff