hcxdumptool: --filterlist_ap does not filter

Hi, I experience an issue with limiting capturing (and what is more important, sending deauth and flooding the network) to only one particular AP.

I saved 1 AP mac that I got from --do_racscan into a file like this

$ cat ap-mac
112233445566

Of course, I put a different mac address. I tried with a breaking line at the end and without. The AP is on channel 1. Then I run your tool like this

sudo hcxdumptool -i wlx983f9f511fd0 --filterlist_ap=ap-mac -c1  -o capture.pcapng

and it immediately shows me

FILTERLIST ACCESS POINT...: 1 entries
FILTERLIST CLIENT.........: 0 entries
FILTERMODE................: unused

But it seems that the tool ignores the --filterlist_ap option because it captures the packets from other APs that are not specified in the ap-mac file list. I take the info by running hcxhashtool --info=stdout followed by hcxpcapngtool.

I’ve run --check_driver and --check_injection tests with success.

Am I doing something wrong?

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 19 (10 by maintainers)

Most upvoted comments

The BPF is very powerful and extreme fast, because it is running inside the kernel space. The packets are filtered out, before they reach hcxdumptool. That means that running BPFC is more strict, than running filterlist in combination with filtermode. I use BPFC to protect own CLIENTs and own APs. Packets from them and to them are filtered completely.

+2
ZerBea on Jun 17, 2020

Please take a look at add3. On several cases it can be used instead of a combination of addr1 & addr2.

Also please take a look at tshark (e.g. to get MAC addresses from dump files). example from here: https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/wpa-Induction.pcap

$ tshark -r wpa-Induction.pcap -T fields -e wlan.sa | sort | uniq

00:0c:41:82:b2:53
00:0c:41:82:b2:55
00:0d:1d:06:e0:f2
00:0d:93:82:36:3a
00:0f:66:16:94:73
4a:91:5a:a3:e4:0b

There are good tools (tshark which is 100% compatible to hcxdumptool, tcpdump, bpf-tools, scapy) to collect all information. A python script (like yours - which is a good idea) can be used to put them all together. Pearl, java, php scripts can do the same. I’ll say that there is no need to reinvent the wheel again and to code “just another wrapper” to hcxtools.

BTW: The tcpdump example in --help is a very simple example. It is far away to cover the entire potential of a BPF. To cover sepcial cases, you may need a more complex BPF.

+1
ZerBea on Jun 15, 2023
Read more comments on GitHub
← zephyr: zperf ping timeout on beagleconnect_freedom over subg
hcxdumptool: Channel or frequency switch not working on RTL8812AU →