WiFi Monitor Mode with Android PCAP Capture


Noted security researcher Mike “dragorn” Kershaw, developer of the gold standard in WiFi scanners, Kismet, has recently released a tool for Android that enables raw 802.11 frame captures in WiFi monitor mode.

PCAP Capture Logo

Putting a WiFi device into monitor mode allows it to capture all sorts of interesting data about the wireless network that would otherwise be invisible. Monitor mode captures are extremely useful for network diagnostics and penetration testing, and getting that ability on Android devices should open up a lot of very interesting possibilities.

PCAP Capture

The new tool, simply called “Android PCAP Capture“, does things a little differently than you might expect. For starters, it doesn’t use root or require a custom ROM to work, which is rather unusual for an advanced tool like this. Kershaw is generally against requiring root access in Android applications, as he feels the current way it’s handled is simply not secure enough considering how much damage a root-enabled application can do:

Giving android apps root terrifies me – it places 100% trust in the developer to not be malicious, and the market to have not presented you with a cloned project that IS malicious, and in the developers systems to make sure no-one can ever push an update using their keys that becomes malicious… it’s bad news all around.

Kismet Blog

Kershaw has a point about the way root access is currently being handled, and despite some efforts to change what we consider the norm, you certainly run a risk every time you allow root access for an application.

But anyone who has worked with WiFi under standard GNU/Linux knows that doing anything advanced with the hardware requires root access. So how did Kershaw manage to put the hardware into Monitor mode without requiring root access or a custom kernel?

RTL8187 Hardware

Controlling the built-in WiFi hardware under Android would have certainly required root access, and more than likely modifications to the ROM itself. That assumes that your particular device’s WiFi hardware even had support for Monitor mode in its driver to begin with, which isn’t guaranteed.

So for PCAP Capture, Kershaw decided not to support the internal WiFi hardware at all, and instead only support devices using the RTL8187 chipset connected over USB. By implementing the RTL8187’s driver in userspace, the application doesn’t require root, it only needs to be running on an Android device which supports USB host mode.

USB host mode on Android is something of a mixed bag, unfortunately. While technically anything running Android Honeycomb or better should support USB host, hardware variations between manufacturers means that your particular Android device may or may not support USB host even if it has a new enough build of Android.

Generally speaking, Nexus devices such as the Galaxy Nexus or Nexus 7 should work, but devices from other manufacturers will need to be tested on a case-by-case basis.

Demonstration Setup

To perform our capture test with PCAP Capture, we’ll be using the Nexus 7 tablet and the RTL8187 based Alfa AWUS036H WiFi adapter.

Both these pieces of hardware are exceptionally popular in their respective communities; the Nexus 7 being one of the best selling and best supported Android tablets ever released, and the AWUS036H being a common choice for advanced WiFi work under Linux.

While some will certainly bemoan PCAP Capture’s requirement for an RTL8187 WiFi adapter and USB host capable Android device, you can’t really claim either of those requirements are that hard to accommodate.

We’ll also need a USB On-The-Go (OTG) adapter cable, which lets you connect a standard USB device to the Micro-USB port found on most Android tablets and smartphones (such as the Nexus line). These can be had for as little as $1 USD on sites like Amazon.com or eBay.

PCAP Capture Test Setup

About Tom Nardi

Tom is a Network Engineer with focus on GNU/Linux and open source software. He is a frequent submitter to "2600", and maintains a personal site of his projects and areas of research at: www.digifail.com .
  • http://twitter.com/JullianeAssange Julliane Assange

    kismet sucks, airodump-ng for life bitches

  • anonymous

    Tom can you share how you installed the RTL8187 driver on Android?

    • PCAP

      You don’t need to manually install the driver, it is included in the application.

      • need help

        How we can use them for a chrooted Linux, like Kali or Backtrack?

  • 09sparky

    Would you be able to use airodump-ng with this? if so how?

  • Pingback: Back to the Future: Pwn Pad Review()

  • Dan

    I have
    being grappling with cross-compiling to add external wifi support in a chroot linux
    environment. This is great! Thanks. it would be great to see support added for the TP-LINK TL-WN722N. Is that realistic?

  • hbk

    hi guys do u know how can i enable monitor mode in android?

  • Hex_disqus

    Is this actually monitor mode or just promiscuous mode? There IS A DIFFERENCE. Promiscuous requires connection to a network/access point. Monitor mode allows capture while not connected to any.