WiFi Monitor Mode with Android PCAP Capture


First Capture

After you’ve installed PCAP Capture, Android will pop up a notification the first time you connect your WiFi device. This notification will tell you that PCAP Capture is associated with this particular USB device, and if you like, it can launch the application every time the hardware is connected.

This choice is purely up to the individual, but as it seems unlikely that you’ll be doing anything else with an RTL8187 adapter on your Android device (at least, for now), you might as well confirm the association and save yourself the step of manually launching it in the future.

PCAP Capture Association Notification

Note: At least with my USB device, the LED on the WiFi adapter does not turn on when plugged into the Android device, or during the capture. This is apparently normal, and does not indicate a problem.

Once PCAP Capture launches, you’ll be greeted with a very straightforward user interface. At very top it will show you the detected RTL8187 device, followed by a listing of which channels PCAP Capture will be scanning on. You can use channel hopping to switch between multiple channels (the default), or drill down to as few channels as you wish to reduce unnecessary noise in the resulting capture file. Directly below the channel selection line you will see an indicator which shows whether or not PCAP Capture is currently recording data or not.

PCAP Capture Interface

At the very bottom of the screen are two buttons. One is “Manage Logs” which will take you to another screen where you can selectively share or delete the currently captured log files, and the other is “Start logging”, which begins the capture process.

Once you tap “Start logging”, a new line will show up on the main display that shows the name of the current log file, its size, and how many packets it contains. As long as the packet count keeps increasing, you will know the hardware is working properly and you’re getting good data.

Successful capture in progress

Managing Captures

Once you’ve captured some log files, the next logical step is sorting through them and getting the valuable ones offloaded onto your computer for analysis.

Tap “Manage Logs” to get access to the list of capture files, which will show you the vital statistics for each and allow you to do basic maintenance tasks like deleting and renaming individual files. One especially nice touch is the ability to “Star” the files you want to keep, and a button which will delete all the logs which are not Stared. This makes it easy to select one or two log files you wish to retain, and bulk delete the remainder.

Log file management

Analyzing Captures

Once you’ve sorted out the good logs from the noise, and used the “Share” function to get them off of your Android device and onto your computer, the last step is to analyze the files in your software of choice.

The actual analysis of PCAP files is a complex subject and well outside the scope of this simple guide, but you will probably want to follow up by loading your new capture files in the extremely popular “Wireshark“. Most Linux distributions should have this in their package repositories, and there is excellent documentation available online on how to use it effectively.

Common WiFi traffic in Wireshark


For a first release, Kershaw has done an excellent job with Android PCAP Capture. The interface is clean, everything works as it should, and perhaps best of all, he has released it as free and open source software.

While some will invariably wish he chose to focus on the internal WiFi hardware for convenience, the greater security, reliability, and performance of using an external WiFi adapter is a better choice in the long run.

In reality, attempting to make this software work with the myriad of different smartphone and tablet hardware combinations that are in circulation today is simply impractical. It would have taken considerably more time and effort to get it working on just the most popular devices, which would have only led to people complaining that their particular device wasn’t supported anyway.

There are still a few areas of the software which could be tightened up or polished a bit, but on the whole, PCAP Capture is ready to roll for anyone wishing to do mobile WiFi captures. It should be very interesting to see what the community is able to do with this software, and any subsequent tools which are made possible by its release.

About Tom Nardi

Tom is a Network Engineer with focus on GNU/Linux and open source software. He is a frequent submitter to "2600", and maintains a personal site of his projects and areas of research at: www.digifail.com .
  • http://twitter.com/JullianeAssange Julliane Assange

    kismet sucks, airodump-ng for life bitches

  • anonymous

    Tom can you share how you installed the RTL8187 driver on Android?

    • PCAP

      You don’t need to manually install the driver, it is included in the application.

      • need help

        How we can use them for a chrooted Linux, like Kali or Backtrack?

  • 09sparky

    Would you be able to use airodump-ng with this? if so how?

  • Pingback: Back to the Future: Pwn Pad Review()

  • Dan

    I have
    being grappling with cross-compiling to add external wifi support in a chroot linux
    environment. This is great! Thanks. it would be great to see support added for the TP-LINK TL-WN722N. Is that realistic?

  • hbk

    hi guys do u know how can i enable monitor mode in android?

  • Hex_disqus

    Is this actually monitor mode or just promiscuous mode? There IS A DIFFERENCE. Promiscuous requires connection to a network/access point. Monitor mode allows capture while not connected to any.