Provided by: hcxtools_6.3.5-1_amd64 
NAME
hcxpcapngtool - hcx tools set
DESCRIPTION
hcxpcapngtool 6.3.5 (C) 2024 ZeroBeat convert pcapng, pcap and cap files to hash formats that hashcat and
JtR use usage: hcxpcapngtool <options> hcxpcapngtool <options> input.pcapng hcxpcapngtool <options>
*.pcapng hcxpcapngtool <options> *.pcap hcxpcapngtool <options> *.cap hcxpcapngtool <options> *.*
short options: -o <file> : output WPA-PBKDF2-PMKID+EAPOL hash file (hashcat -m 22000)
get full advantage of reuse of PBKDF2 on PMKID and EAPOL
-E <file> : output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for
cracker
retrieved from every frame that contain an ESSID
-R <file> : output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for
cracker
retrieved from PROBEREQUEST frames only
-I <file> : output unsorted identity list to use as input wordlist for cracker -U <file> : output
unsorted username list to use as input wordlist for cracker -D <file> : output device information list
format MAC MANUFACTURER MODELNAME SERIALNUMBER DEVICENAME UUID ESSID
-h : show this help -v : show version
long options: --all : convert all possible hashes instead of only the best
one
that can lead to much overhead hashes
use hcxhashtool to filter hashes need hashcat --nonce-error-corrections >= 8
--eapoltimeout=<digit> : set EAPOL TIMEOUT (milliseconds)
: default: 5000 ms
--nonce-error-corrections=<digit> : set nonce error correction
warning: values > 0 can lead to uncrackable handshakes
: default: 0
--ignore-ie : do not use CIPHER and AKM information
this will convert all frames regadless of
CIPHER and/OR AKM information, and can lead to uncrackable hashes
--max-essids=<digit> : maximum allowed ESSIDs
default: 1 ESSID
disregard ESSID changes and take ESSID with highest ranking
--eapmd5=<file> : output EAP MD5 CHALLENGE (hashcat -m 4800) --eapmd5-john=<file>
: output EAP MD5 CHALLENGE (john chap) --eapleap=<file> : output EAP LEAP and MSCHAPV2
CHALLENGE (hashcat -m 5500, john netntlm) --tacacs-plus=<file> : output TACACS PLUS v1
(hashcat -m 16100, john tacacs-plus) --nmea=<file> : output GPS data in NMEA 0183
format
format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL
to convert it to gpx, use GPSBabel: gpsbabel -i nmea -f hcxdumptool.nmea -o gpx,gpxver=1.1 -F
hcxdumptool.gpx to display the track, open file.gpx with viking
--csv=<file> : output ACCESS POINT information in CSV format
delimiter: tabulator (0x08)
columns: YYYY-MM-DD HH:MM:SS MAC_AP ESSID ENC_TYPE CIPHER AKM COUNTRY_INFO CHANNEL RSSI GPS(DM.m)
GPS(D.d) GPSFIX SATCOUNT HDOP ALTITUDE UNIT GPS FIX: 0 = fix not available or invalid 1 = fix
valid (GPS SPS mode) 2 = fix valid (differential GPS SPS Mode) 3 = not supported 4 = not supported
5 = not supported 6 = fix valid (Dead Reckoning Mode) to convert it to other formats, use bash
tools or scripting languages
--log=<file> : output logfile --raw-out=<file> : output frames in
HEX ASCII
: format: TIMESTAMP*LINKTYPE*FRAME*CHECKSUM
--raw-in=<file> : input frames in HEX ASCII
: format: TIMESTAMP*LINKTYPE*FRAME*CHECKSUM
--lts=<file> : output BSSID list to sync with external GPS data
format: LINUX timestamp <tab> RSSI <tab> MAC_AP <tab> ESSID
--pmkid-client=<file> : output WPA-(MESH/REPEATER)-PMKID hash file (hashcat -m 22000)
--pmkid=<file> : output deprecated PMKID file (delimiter *) --hccapx=<file>
: output deprecated hccapx v4 file --hccap=<file> : output deprecated hccap file
--john=<file> : output deprecated PMKID/EAPOL (JtR wpapsk-opencl/wpapsk-pmk-opencl)
--prefix=<file> : convert everything to lists using this prefix (overrides single
options):
-o <file.22000>
: output PMKID/EAPOL hash file
-E <file.essid>
: output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for cracker
-I <file.identity>
: output unsorted identity list to use as input wordlist for cracker
-U <file.username>
: output unsorted username list to use as input wordlist for cracker
--eapmd5=<file.4800>
: output EAP MD5 CHALLENGE (hashcat -m 4800)
--eapleap=<file.5500>
: output EAP LEAP and MSCHAPV2 CHALLENGE (hashcat -m 5500, john netntlm)
--tacacs-plus=<file.16100> : output TACACS+ (hashcat -m 16100, john tacacs-plus)
--nmea=<file.nmea> : output GPS data in NMEA 0183 format
--add-timestamp : add date/time and EAPOL TIME gap (time between two EAPOL MESSAGEs in
nsec) to hash line
this must be filtered out before feeding hashcat with the hash, e.g. by awk:
cat hash.hc22000 | awk '{print $1}' > hashremovedtimestamp.hc22000
--help : show this help --version : show version
bitmask of PMKID hash line (WPA*01) message pair field: 0: reserved 1: PMKID taken from AP 2: PMKID taken
from AP possible PSKSHA256 FT using PSK 3: reserved 4: PMKID taken from CLIENT (wlan.da: possible MESH or
REPEATER) 5: reserved 6: reserved 7: reserved
bitmask of EAPOL hash line (WPA*02) message pair field: 2,1,0:
000 = M1+M2, EAPOL from M2 (challenge) 001 = M1+M4, EAPOL from M4 (authorized) - usable if
NONCE_CLIENT is not zeroed 010 = M2+M3, EAPOL from M2 (authorized) 011 = M2+M3, EAPOL from M3
(authorized) - usable by option --all 100 = M3+M4, EAPOL from M3 (authorized) - usable by option
--all 101 = M3+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed
3: reserved 4: NC (set to 1) - nonce-error-corrections deactivated on M1M2ROGUE, M2M3E3 and M3M4E3 5: LE
router detected (set to 1) - nonce-error-corrections required only on LE 6: BE router detected (set to 1)
- nonce-error-corrections required only on BE 7: NC (set to 1) - nonce-error-corrections activated
Do not edit, merge or convert pcapng files! This will remove optional comment fields! Detection of bit
errors does not work on cleaned dump files! Do not use hcxpcapngtool in combination with third party
cap/pcap/pcapng cleaning tools (except: tshark and/or Wireshark)! It is much better to run gzip to
compress the files. Wireshark, tshark and hcxpcapngtool will understand this. Output is appended to
existing files. Recommended tools to show additional 802.11 fields or to decrypt WiFi traffic: Wireshark
and/or tshark Recommended tool to filter converted hash by several options: hcxhashtool Recommended tool
to get default or standard PSKs: hcxpsktool Recommended tool to calculate wordlists based on ESSID:
hcxeiutool Recommended tools to retrieve PSK from hash: hashcat, JtR
hcxpcapngtool 6.3.5 (C) 2024 ZeroBeat March 2025 HCXPCAPNGTOOL(1)