Skip to content

wpawolf

Pure-Rust rewrite of hcxpcapngtool. Reads pcap, pcapng, and gzip captures and emits hashcat mode 22000 and 37100 hash lines. Covers WPA1, WPA2, and WPA3 PSK-family handshake extraction plus PMKID extraction from every spec-defined location.

Why wpawolf

wpawolf addresses several architectural limitations of hcxpcapngtool:

Behaviour hcxpcapngtool wpawolf
Pairing strategy Stream-pairs as frames arrive Collect-then-pair (reads everything, then pairs)
EAPOL frame size ceiling 255 bytes (EAPOL_AUTHLEN_OLD_MAX) No size gate, emits every valid EAPOL-Key frame
Per-(AP, STA) message buffer Shared 64-entry circular buffer HashMap<(AP, STA), Vec<Message>>, no eviction
WDS / 4-address relay frames Skipped unless --all Always processed
State across input files Reset between files Carried across files (cross-file pairing)
EAPOL session window 5 seconds default Unlimited default; --eapoltimeout opts in
PMKID extraction sites M1 KDE + M2 RSN IE 20 spec-defined locations (M1/M2/AssocReq/ReassocReq/FT Auth/FT Action/Beacon/ProbeResp/Mesh/OSEN)
Dedup Look-back ring + write-time dedup Global SipHash set (cross-file, cross-session)
Parallelism Single-threaded Rayon work-stealing (--threads N)
Memory pressure OOM on large captures Disk-backed fallback at 80% RAM

The collect-then-pair architecture means wpawolf cannot miss a valid pair regardless of message ordering or interleaving. hcxpcapngtool's 64-entry ring silently drops the oldest message when the 65th arrives without a successful pair.

Hash Output

Flag What it writes hashcat mode Format
--22000-out FILE Non-FT PSK hashes 22000 WPA*01* (PMKID), WPA*02* (EAPOL)
--37100-out FILE FT-PSK hashes 37100 WPA*03* (FT PMKID), WPA*04* (FT EAPOL)
-o FILE All hashes, per-AKM 11-type format proposed 22002/22003 WPA*01* through WPA*11*
--wpa1-out FILE WPA1-PSK only N/A WPA*01*
--wpa2-out FILE WPA2-PSK only N/A WPA*02*, WPA*03*
--psk-sha256-out FILE PSK-SHA256 only N/A WPA*04*, WPA*05*
--ft-out FILE FT-PSK only N/A WPA*06*, WPA*07*
--psk-sha384-out FILE PSK-SHA384 only N/A WPA*08*, WPA*09*
--ft-psk-sha384-out FILE FT-PSK-SHA384 only N/A WPA*10*, WPA*11*

The legacy sinks (--22000-out, --37100-out) produce lines that current hashcat reads. The per-AKM sinks (-o and the six per-family flags) use an 11-prefix format that no current hashcat mode reads; proposed modes 22002/22003 are sketched in the wpawolf docs.

SHA-384 hashes (types 8-11) are deliberately suppressed from the legacy sinks because their 24-byte MIC does not fit the 16-byte <mic> field.

Auxiliary Outputs

Flag Description
-E FILE Unique ESSIDs from AP management frames
-R FILE Unique ESSIDs from Probe Request frames
-W FILE Combined wordlist (superset of -E + -R + WPS + EAP + country + vendor)
-I FILE EAP identity strings
-U FILE EAP peer-identity (inner username) strings
-D FILE WPS device info (tab-separated, sorted by manufacturer)
--log FILE Structured processing log

Output Options

wpawolf splits output options into two categories:

Reduction options fold redundant lines per MIC and never drop a crackable hash:

Flag Default Meaning
--smart off Recommended. Emit ~one line per MIC instead of the full cross-product. Implies --dedup-hash-combos + --nc-dedup
--dedup-hash-combos off 6 N#E# combos to 3 unique per session
--nc-dedup off Fold near-identical-nonce siblings into one survivor
--collapse-message-pair off Drop message-pair byte from dedup identity

Filter options can drop crackable hashes; use with caution:

Flag Default Effect
--strict off Bundle of tight filters. Drops thousands of crackable MICs in large captures. Prefer --smart
--eapoltimeout N unlimited Discard pairs more than N seconds apart
--rc-drift N off Discard pairs with replay-counter delta > N
--max-eapol-per-type N off Cap pairing to first N messages of each type per (AP, STA)

Typical Workflow

# Legacy 22000 + 37100 (what hashcat cracks today)
wpawolf --22000-out hashes.22000 --37100-out hashes.37100 *.pcap

# Combined per-AKM output (all 11 types)
wpawolf -o all-hashes.out *.pcap

# Per-AKM split for triage
wpawolf --wpa2-out wpa2.out --ft-out ft.out --psk-sha384-out psk384.out capture.pcapng.gz

# Maximum extraction with all auxiliaries
wpawolf --22000-out h.22000 --37100-out h.37100 -o all.out \
        -E essids.txt -R probes.txt -W wordlist.txt \
        -I identities.txt -U usernames.txt -D devices.txt \
        --log run.log captures/*

# Recommended: smart mode (fewer lines, zero MIC loss)
wpawolf --22000-out hashes.22000 --smart captures/

At least one output flag is required; wpawolf exits without doing any work if no output is configured.

Installation

Prebuilt binaries

Download from GitHub Releases. Static musl binaries for Linux x86_64 and arm64, macOS universal (arm64 + x86_64), and Windows (MSVC + GNU).

From source

git clone https://github.com/StrongWind1/WPAWolf
cd WPAWolf
make release      # optimised native build -> target/release/wpawolf

Requires a stable Rust toolchain.

Spec References