Android PCAP

Android PCAP Capture is a utility for capturing raw 802.11 frames (“Monitor mode”, or sometimes referred to as “Promiscuous mode”). The resulting Pcap files can be viewed on a computer using Eye P.A., Wireshark, Tcpdump and similar tools, or online using CloudShark.

Android PCAP works with Android phones running version 4 (ICS) or higher and Wi-Fi cards that use the RTL 8187 chipset.

Android app on Google Play

How it works

Android PCAP implements the Linux kernel RTL8187 driver in userspace using the Android USB host API. This means it doesn't require root privileges (a highly dangerous requirement), and will run on stock phone firmware.

It is not possible to capture from the internal Wi-Fi interface on Android without running a custom firmware and gaining root access. Android PCAP was designed to get around those restrictions and provide a secure, standard method.

To go with PCAP capture, you can immediately view your PCAP files using the CloudShark service. To make this even easier on Android, check out CloudShark Uploader, which lets you send directly to CloudShark or a private CloudShark appliance!

Screenshots

Requirements

Android PCAP should work so long as:

  1. Your device runs Android 4.0 or higher (or, in theory, the few devices which run Android 3.2). Earlier versions of Android do not have a USB Host API
  2. You have a RTL8187 based USB Wi-Fi NIC. A good example of this is the Alfa One 802.11b/g wireless card. In the future, additional cards will be added.
  3. You have an OTG Adapter Cable. This cable enables USB host mode on the device. Devices which have full-sized USB host ports should work without an OTG cable.
  4. Your device supports USB Host Mode properly. Some devices do not - see the compatibility section for more information.

Android Compatibility

The following is a non-canonical list of devices and support, if you find a device not listed that it works on (or doesn't work on) please let us know at android-pcap @ kismetwireless.net

(Most) Nexus Devices
GOOD
The Galaxy Nexus, Nexus 7, and Nexus 10 have all been tested successfully with a simple OTG cable.

The Nexus 4 does not support OTG. It is not clear if this can be hacked in yet or not.

The Nexus S does not appear to support OTG.

Samsung Galaxy SIII
GOOD
The Galaxy SIII works as expected with an OTG adapter cable.
Motorola Phones
WEIRD
Motorola devices capable of running Android 4+ (Razr, Droid4 tested) require two additional hardware hacks to enable USB host mode:
  1. Injecting +5v USB power to the phone (via a modified cable or a USB hard drive 'Y' style cable)
  2. A USB hub
(We are currently working on a USB power injector and hub combination, stay tuned)
Motorola Xoom
WEIRD
While the Xoom should support USB Host mode, under high loads (such as driving a Wi-Fi NIC), it appears to fail.
HTC 1V
BROKEN
The stock kernel on the HTC 1V does not properly support USB host mode. Custom kernels/firmware MAY be able to.
Samsung Galaxy SII
BROKEN
The Galaxy SII does not appear to be able to do USB host mode, despite reporting support.
Asus TF700T
GOOD
Reported to work fine when using the keyboard dock to get USB ports.

USB Wireless Devices

Any wireless device based on the RTL 8187 chipset should work. This chipset can be found in many different wireless devices, but is easily found in the Alfa One NIC (the 802.11b/g version, not the 802.11a/b/g/n). This card has the advantage of being easy to get (Amazon, other online retailers), it's reasonably powerful and sensitive, and if you already use Kismet you probably already have one.

There are likely many (hundreds) of other wireless NICs which use the 8187 chipset. Specifically, any device with the USB vendor/device id of 0x0bda,0x8187 should work. You can find the device ID on Linux with the "lsusb" command, and on Windows in the Device Manager.

Using PCAP files

Android PCAP generates stock PCAP files of 802.11 packets with PPI headers. These can be processed by any of the packet handling tools, such as WireShark, Eye P.A., and Kismet. Combined with CloudShark for Android, PCAP files can be uploaded directly to the CloudShark site for decoding in your browser.

Battery Life

Driving a USB attached NIC will definitely negatively impact the battery life of your device.

Splicing in additional power (such as using a hard drive 'y' cable or battery powered USB hub) is highly recommended for long-term uses.

We are developing a battery-powered hub solution, with power feed options to support "weird" devices like Motorola phones. Stay tuned.

Internal Wi-Fi

Capturing from the internal Wi-Fi on Android is not typically possible.

There are projects which are trying to hack in support for this, and when it becomes more stable, Android PCAP will attempt to support it, but currently these hacks require custom ROMs, specific phones, and root access.

Android PCAP was specifically designed to not require special hardware (except when phone manufacturers make weird decisions which cripple USB host), or excessive privileges (USB and external storage access).

Get the Code

Source for Android PCAP is available as a Git repository:

git clone https://www.kismetwireless.net/android-pcap.git

GitWeb browseable source is at:

http://kismetwireless.net/gitweb/

Icons

Some icons (USB symbol, Channel hop) from The Noun Project, a great resource for stylized icons.

Security & Privacy

Android PCAP does not collect personal information from your device.

Collected wireless data is stored locally on the drive and transmitted only to a location of the users choosing via the "Share capture..." option.