View on GitHub

PCAPdroid

User Guide

1.1 What is PCAPdroid

PCAPdroid is an open source network capture and monitoring tool which works without root privileges. The common use cases include:

PCAPdroid leverages the android VpnService to receive all the traffic generated by the android apps. No external VPN is actually created, the traffic is locally processed by the app.

Important: the PCAP generated by PCAPdroid is not 100% accurate. Check out PCAP Reliability for more details.

1.2 Basic Usage

In order to start using PCAPdroid, you just need to tap the start button.

On the first start, a VPN confirmation dialog is shown. After accepting it, PCAPdroid will start capturing the traffic. PCAPdroid can be put in the background while operating with other apps as it continues to run as a service until the capture is stopped. As long as PCAPdroid is running, a key icon will be displayed into the android notification bar (this may vary depending on your system). Moreover, a persistent notification is shown, which includes the details about the captured traffic.

By default, an HTTP server is started on port 8080 to serve the traffic PCAP. You can visit the provided URL from another device (e.g. a PC) to start downloading the PCAP. The download is streamed so it’s normal to see a 0% download progress indicator in the browser. Only the traffic generated after the download has been started will be captured. It will finish once the stop button in PCAPdroid is pressed. Beware that any user in your local network can download a copy of your device traffic! If you want to avoid this, you can select “None” as the dump mode.

The connections made by the apps can be easily reviewed in the “Connections” tab.

Each row represents an outgoing connection made by an app or by the Android system itself. The following information will be shown:

By clicking on the connection it is possible to get more details about it.

Some details, like the IP addresses, status and statistics, are always shown. Other information, like the URL or the host, is only shown when available. Among other things, PCAPdroid tries to detect the plain text request data sent at the start of a connection, which will reported in the “Request Plaintext” row when available. For HTTP connections, for example, it will show the HTTP request sent.

During the capture, PCAPdroid logs all the connections in memory. After a limit is reached, old connections will be removed and replaced by new ones and a message indicating the number of discarded connections is shown. An overview of the traffic generated by the apps can be seen in the “Apps” view.

By pressing on an app, its details page will open, where it’s possible to review its metadata, like the installation date, version and permissions.

By clicking on the “Settings” button, the system settings for the app will open. The “Connections” button provides a shortcut to show the connections made by the app.

1.3 Filters

Before the capture is started, in the “Status” tab it is possible to specify an “App Filter” to only capture the traffic of the specified app. Only this app will be routed inside the VPNService. This is especially useful when using the TLS decryption to ensure that the mitm will only take place on the target app.

After the capture is started, PCAPdroid provides different ways to filter the displayed connections:

The whitelist feature allows you to create rules to hide groups of connections from the “Connections” tab. By carefully building a whitelist of “good” connections, it is possible to filter out the background noise made by the periodic connections or by the frequently used apps and only display a few relevant connections. This is particularly useful to detect unwanted or possibly malicious connections. The whitelist is persistent and can be modified from the corresponding entry in the left drawer.

1.4 PCAP Reliability

Note: this does not apply when Root Capture is enabled.

The PCAP generated by PCAPdroid contains some synthetic data and, as such, cannot be reliabily used to perform per-packet analysis. In particular, only the packet payload, IP peers and L3 ports correspond to the actual data. This limitation is intrinsic of the way PCAPdroid, and any non-root capture app in general, work.

Here is a list of some of the limitations: