aircrack-ng has been the default WPA capture toolchain since 2004. hcxdumptool is faster, captures PMKID without client interaction, and outputs .pcapng natively. In 2026, most MSP and pentesting workflows have already switched. Here's the complete head-to-head so you can make the call for your own stack.
Why This Comparison Matters Now
Both tools are actively maintained in 2026 — but they solve the capture problem in fundamentally different ways. aircrack-ng's airodump-ng captures the classical 4-way handshake and has been battle-tested for over twenty years. hcxdumptool, originally written by ZerBea, takes a different approach: it aggressively solicits PMKID hashes directly from the AP without waiting for a legitimate client to authenticate. The resulting captures feed directly into hashcat's -m 22000 mode.
The gap between the two tools has widened with Wi-Fi 6 and WPA3 transition-mode networks. airodump-ng was not designed for these environments. hcxdumptool was. That asymmetry alone drives most new MSP workflow decisions.
Feature Matrix
| Feature | aircrack-ng (airodump-ng) | hcxdumptool |
|---|---|---|
| 4-way handshake capture | ✓ Native | ✓ Incidental |
| PMKID capture | ✗ No | ✓ Primary method |
| Client-free capture | ✗ Requires connected client or deauth | ✓ Yes |
| Output format | .cap (libpcap) | .pcapng (native) |
| WPA3 transition mode | Partial | ✓ Handled |
| Channel hopping | ✓ Built-in | ✓ Built-in |
| BSSID/ESSID filtering | ✓ --bssid / --essid | ✓ --filterlist_ap / --filterlist_client |
| Active deauth frames | Via aireplay-ng (separate binary) | Built-in, optional |
| Output directly to hashcat | Requires hcxpcapngtool conversion | Native via hcxpcapngtool |
| GPS tagging | ✗ No | ✓ --nmea support |
| Kernel driver requirement | nl80211 monitor mode | nl80211 + frame injection |
| Active maintenance (2026) | ✓ aircrack-ng 1.7+ | ✓ hcxdumptool 24.x |
Hardware Compatibility in 2026
Your adapter choice matters more than your tool choice. Both tools depend on the kernel driver exposing monitor mode and — for hcxdumptool — frame injection capability. Here's how the three most common adapters behave:
Alfa AWUS036AXML (MediaTek MT7921AU)
The current recommended adapter for both toolchains. The MT7921AU driver (mt7921u) ships in Linux kernel 5.18+ with monitor mode and injection support. On Kali 2026.1 or Ubuntu 24.04, it works out of the box with no patching. Supports 2.4 GHz, 5 GHz, and 6 GHz. hcxdumptool works flawlessly; airodump-ng works but does not scan 6 GHz band without kernel 6.x. Street price: ~$45.
Alfa AWUS036ACH (Realtek RTL8812AU)
The previous generation workhorse. Requires the rtl8812au-dkms out-of-tree driver — still maintained by aircrack-ng community in 2026 but requires a manual install on any kernel above 6.6. 2.4 and 5 GHz only. Both tools work once the driver is installed, but injection reliability is lower than MT7921AU. Hcxdumptool occasionally fails to send EAPOL frames reliably on this chipset; workaround is --disable_client_attacks and pure PMKID-only mode.
MediaTek MT7921 (Internal / PCIe, e.g. many Intel laptops via m.2 swap)
The PCIe variant of the same chipset. Monitor mode works on kernel 5.18+, but injection support on internal adapters depends on firmware version. If injection fails, hcxdumptool falls back to passive PMKID capture, which still works. airodump-ng passive capture is fully functional. Deauth via aireplay-ng is unreliable — skip it on this chipset.
Ralink RT5370 / RT3070 adapters are effectively retired. These cheaply cloned USB sticks have kernel driver conflicts on Linux 6.x and no Wi-Fi 5 or 6 support. If you're still using them for client audits, replace them before a site visit turns into a debugging session. A $45 MT7921AU eliminates the problem entirely.
Capture Speed: How Long Does Each Method Actually Take?
This is where the gap is most visible. airodump-ng in passive mode can wait minutes or hours for a client to naturally (re)authenticate. The deauth-then-capture workflow with aireplay-ng compresses that to seconds — but at the cost of disrupting active connections and generating noisy 802.11 management frames that IDS tools like Kismet or Zebra will flag immediately.
hcxdumptool's PMKID solicitation typically returns a hash within 10–30 seconds per AP on a cooperative access point (i.e., one that responds to EAPOL-Start frames). On enterprise APs with PMF (Protected Management Frames) enabled, PMKID may not be extractable — but in that case hcxdumptool's fallback to passive 4-way capture still outperforms airodump-ng because of its superior frame filtering and reduced noise.
Hands-On: Side-by-Side Commands
# ── aircrack-ng workflow ──────────────────────────────────────
# 1. Enable monitor mode
airmon-ng check kill
airmon-ng start wlan0
# 2. Survey the area
airodump-ng wlan0mon
# 3. Target a specific AP on channel 6
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF \
-w /tmp/capture wlan0mon
# 4a. Wait for organic handshake (passive, takes minutes–hours)
# 4b. Accelerate with deauth (active, disruptive — requires authorization)
aireplay-ng -0 2 -a AA:BB:CC:DD:EE:FF wlan0mon
# Output: /tmp/capture-01.cap# ── hcxdumptool workflow ──────────────────────────────────────
# 1. hcxdumptool manages monitor mode itself — kill conflicting processes
airmon-ng check kill
# 2. Capture PMKID + handshakes from a specific BSSID (filter file)
echo "AABBCCDDEEFF" > /tmp/target.txt
hcxdumptool -i wlan0 \
-o /tmp/capture.pcapng \
--filterlist_ap=/tmp/target.txt \
--filtermode=2 \
--enable_status=3
# Output: /tmp/capture.pcapng (native, hashcat-ready)
# 3. Convert to hashcat 22000 format
hcxpcapngtool -o /tmp/hashes.hc22000 /tmp/capture.pcapng
# 4. If you have an old .cap from airodump-ng, convert it first
hcxpcapngtool -o /tmp/converted.pcapng /tmp/capture-01.capFiltering matters for scoped engagements. hcxdumptool's --filterlist_ap and --filterlist_client flags accept MAC lists in a flat text file (one per line, no colons). This makes it trivial to scope a capture to exactly the APs listed in your statement of work — producing a clean audit trail with no incidental captures of neighboring networks.
Filter Options: Keeping Captures Scoped
Scope discipline is not optional. Capturing data from networks outside your engagement is a legal liability in most jurisdictions — including under CFAA, UK Computer Misuse Act, and EU NIS2 implementing legislation. Here's how each tool handles it:
| Filter type | aircrack-ng flag | hcxdumptool flag |
|---|---|---|
| Target by BSSID | --bssid AA:BB:CC:DD:EE:FF | --filterlist_ap (file) |
| Target by ESSID | --essid "NetworkName" | --essid_filter (regex) |
| Exclude BSSIDs | Not supported natively | --filtermode=1 (block list) |
| Target by client MAC | Not supported | --filterlist_client (file) |
| Channel lock | -c 6 | --chanlist=6 |
| Multi-channel lock | Not supported (single channel) | --chanlist=1,6,11,36 |
hcxdumptool's block-list mode (--filtermode=1) is particularly useful in dense environments like office buildings where neighboring SSIDs are visible — you whittle down to exactly your target APs and produce a capture file that an auditor can verify contains no out-of-scope traffic.
Why hcxdumptool Is Now the Default for MSP Workflows
Three concrete reasons drive the shift:
- No client dependency. Enterprise sites often have 802.1X suppressing unauthenticated clients. PMKID capture works regardless of whether any user device is connected during the capture window.
- Native .pcapng output. The wifiaudit.io API and every modern analysis pipeline expects .pcapng. Eliminating the conversion step (
hcxpcapngtool) removes a potential failure point in automated workflows. - Better metadata. hcxdumptool embeds capture interface, GPS coordinates (if
--nmeais set), and signal strength per frame into the .pcapng option blocks. This enriches the audit report without any additional tooling.
That said, airodump-ng retains one advantage: it is more forgiving of driver quirks. On adapters where injection is unstable, airodump-ng's passive capture mode is more reliable than hcxdumptool's active solicitation. For legacy WPA2-only networks in small offices where a client device is reliably present, the classic workflow still delivers a clean handshake in under a minute.
Decision Tree: Which Tool for Your Engagement?
🌳 Choose Your Capture Tool
- Is the target network WPA3 or WPA3 transition mode?
→ Yes: Use hcxdumptool. airodump-ng has incomplete WPA3 support.
→ No: Continue to 2. - Will there be a connected client device during your capture window?
→ No (or uncertain): Use hcxdumptool (PMKID — no client needed).
→ Yes: Continue to 3. - Is deauthentication permitted by your engagement scope?
→ No (production network, zero disruption required): Use hcxdumptool passive PMKID.
→ Yes: Continue to 4. - Is your adapter MT7921AU or similar with reliable injection?
→ Yes: Either tool works — use hcxdumptool for .pcapng output, or airodump-ng if you prefer the familiar workflow.
→ No (RTL8812AU or quirky driver): Use airodump-ng passive or with aireplay-ng deauth — hcxdumptool injection may be unreliable.
Converting and Uploading to the Audit API
Regardless of which tool you capture with, the wifiaudit.io API accepts both .cap and .pcapng. For .cap files captured with airodump-ng, a conversion step ensures maximum metadata extraction:
# Convert airodump-ng .cap to .pcapng before upload
hcxpcapngtool -o output.pcapng capture-01.cap
# Upload to wifiaudit.io API
curl -X POST https://api.wifiaudit.io/api/v1/jobs \
-H "X-API-Key: wai_YOUR_KEY" \
-F "file=@output.pcapng" \
-F "ssid=TargetNetwork" \
-F "organization=ClientName"
# Poll for completion and download PDF report
curl https://api.wifiaudit.io/api/v1/jobs/JOB_ID/report \
-H "X-API-Key: wai_YOUR_KEY" \
-o ClientName-WiFiAudit-2026.pdfhcxpcapngtool is part of the hcxtools package, not hcxdumptool. Install both: sudo apt install hcxdumptool hcxtools on Kali or Debian-based systems. On Arch: yay -S hcxdumptool hcxtools. They are separate binaries with complementary roles — dump, then process.
FAQ
Is hcxdumptool better than aircrack-ng for WPA capture?
For most modern workflows, yes. hcxdumptool captures PMKID hashes without waiting for a client to connect, outputs native .pcapng, and handles WPA3 transition mode networks. aircrack-ng's airodump-ng remains useful for legacy WPA2-only environments and when you need explicit 4-way handshake capture on older chipsets with unreliable frame injection.
Which WiFi adapter works best with hcxdumptool in 2026?
The Alfa AWUS036AXML (MediaTek MT7921AU, Wi-Fi 6, ~$45) is the current top pick. It supports monitor mode, frame injection, and 6 GHz scanning on Linux 6.x kernels without patching. The older AWUS036ACH (Realtek RTL8812AU) works for 5 GHz but requires a patched out-of-tree driver and has no Wi-Fi 6 support.
Can I capture WPA handshakes without deauthenticating clients?
Yes. hcxdumptool's PMKID attack extracts the PMKID from the first EAPOL frame solicited from the AP — no deauth required, no client disruption. This makes it the preferred method for production environment audits where deauth would disrupt business operations or trigger IDS alerts.
What file format should I use when uploading captures to an audit API?
.pcapng is preferred. hcxdumptool outputs .pcapng natively. If you used airodump-ng and have a .cap file, convert it with hcxpcapngtool -o output.pcapng input.cap before uploading. The wifiaudit.io API accepts both formats but extracts richer metadata — signal levels, frame timing, interface info — from .pcapng.
Upload Your First Capture Today
Drop a .pcapng or .cap file into the API and get a compliance-ready PDF in under two minutes. No setup required.
Get API Key — 3 Audits Free