How to reduce WPA(2) capture file size

This tutorial will help you to reduce the dump size of your handshakes (.cap).

Let's remove the crap inside a WPA(2) dump

Blog Single

Easy & fast

If you have a large WPA dump file you need to remove the excess data. You can (must!) do this with hcxpcaptool utility from the hcxtools suite.
Many thanks to ZerBea for his work. We advise you to always use hcxtools for anything WPA related, like conversion, cleaning, displaying information, etc.


Source are available on github: hcxtools.
There are no binaries at this time you can download, so you will need to compile the tool: simply make.


hcxpcaptool shows info of pcap/pcapng file and convert it to other hashformats accepted by hashcat and John the Ripper. It converts AND clean your file:
./hcxpcaptool -o new.hccapx original_file.cap
More options can be used:
-o  : output hccapx file (hashcat -m 2500/2501)
-O  : output raw hccapx file (hashcat -m 2500/2501)
-x  : output hccap file (hashcat -m 2500)
-X  : output raw hccap file (hashcat -m 2500)
-z  : output PMKID file (hashcat hashmode -m 16800)
-Z  : output PMKID file (hashcat hashmode -m 16801)
-j  : output john WPAPSK-PMK file (john wpapsk-opencl)
-J  : output raw john WPAPSK-PMK file (john wpapsk-opencl)
-E  : output wordlist (autohex enabled) to use as input wordlist for cracker
-I  : output unsorted identity list
-U  : output unsorted username list
-P  : output possible WPA/WPA2 plainmasterkey list
-T  : output management traffic information list
          : european date : timestamp : mac_sta : mac_ap : essid
-H  : output dump raw packets in hex
-V        : verbose (but slow) status output
-h        : show this help
-v        : show version

--time-error-corrections=  : maximum allowed time gap (default: 600s)
--nonce-error-corrections= : maximum allowed nonce gap (default: 8)
                                  : should be the same value as in hashcat
--netntlm-out=              : output netNTLMv1 file (hashcat -m 5500, john netntlm)
--md5-out=                  : output MD5 challenge file (hashcat -m 4800)
--md5-john-out=             : output MD5 challenge file (john chap)
--tacacsplus-out=           : output TACACS+ authentication file (hashcat -m 16100, john tacacs-plus)

bitmask for message pair field:
0: MP info (
1: MP info (
2: MP info (
3: x (unused)
4: ap-less attack (set to 1) - no nonce-error-corrections neccessary
5: LE router detected (set to 1) - nonce-error-corrections only for LE neccessary
6: BE router detected (set to 1) - nonce-error-corrections only for BE neccessary
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely neccessary

Do not use hcxpcaptool in combination with third party cap/pcap/pcapng cleaning tools!
As said, "Do not use hcxpcaptool in combination with third party cap/pcap/pcapng cleaning tools!"

Once done you can upload the converted file to our website.

I'm lazy, do it for me !

You can use our instant online tool to do it: .cap converter.

Share this Post: