HCCAP format description

Note: all versions of oclHashcat have been replaced by a unified OpenCL CPU/GPU version, now known simply as hashcat.

Note: The hccap file format has been replaced by hccapx.

HCCAP is a custom format, specifically developed for oclHashcat.

The data itself does not differ from usual tcpdump format. In fact, it's absolutely the same. It is just rearranged a bit.

A valid hashcat cap file (file extension: .hccap) contains one or more instances of the struct type documented below. If you have several single .hccap files which you want to merge into a single file (say multi.hccap), one can accomplish this by just concatenating one file(s) one to the other(s):

Attention: currently only oclHashcat supports loading and cracking of muliple networks at once. Multi-hccap support is currently not available in hashcat (CPU-based version).

Linux:
$ cat single_hccaps/*.hccap > all_in_one/multi.hccap

Windows:
copy /b single_hccaps\*.hccap all_in_one\multi.hccap

or select single ones

copy /b single_hccaps\1.hccap + single_hccaps\2.hccap all_in_one\multi.hccap

It seems that also cap2hccap is able to generate .hccaps that contain several networks (i.e. more than one struct instance, multiple networks w/ possibly different essid)

typedef struct
{
  char          essid[36];

  unsigned char mac1[6];
  unsigned char mac2[6];
  unsigned char nonce1[32];
  unsigned char nonce2[32];

  unsigned char eapol[256];
  int           eapol_size;

  int           keyver;
  unsigned char keymic[16];

} hccap_t;