WiFi Capture & Analysis
Home > Features > WiFi Capture & Analysis
WiFi Capture & Analysis
Biscuit can capture WiFi traffic for offline analysis, including WPA handshakes for password auditing, raw packet captures for forensic review, and real-time channel activity monitoring.
EAPOL/PMKID Capture
Capture WPA/WPA2 handshakes (EAPOL frames) and PMKID hashes for offline password cracking. This is one of the most commonly used features for WiFi security auditing.
How to Use
- Navigate to WiFi Tools > Sniffing tab > EAPOL/PMKID Sniff
- Configure channels – Enter the channels you want to monitor, separated by commas. The default is
1,6,11(the most common non-overlapping 2.4GHz channels). You can also monitor 5GHz channels or enter a custom set. - Optional: Enable SD card storage – On Biscuit Ultra with an SD card inserted, you can toggle “SD Card Storage” to save the PCAP directly to the SD card for longer capture sessions. With SD enabled, the device continues capturing even if your phone disconnects (see Autonomous SD Capture below).
- Tap the Start button to begin capturing.
- Optional: Run a deauth attack simultaneously – From the Deauth Attack screen, enable the “Capture EAPOL” toggle. When you deauth clients from an AP, they reconnect and generate fresh handshakes that Biscuit captures automatically. This significantly increases your capture rate.
- Tap Stop when you have captured what you need.
- Save or share your capture from the dialog that appears.
What You See During Capture
Real-time statistics update as frames are captured:
- PMKIDs – Number of PMKID hashes captured. Each PMKID can be cracked offline without needing a full handshake.
- EAPOL – Total EAPOL authentication frames captured. Four consecutive frames (M1 through M4) form a complete WPA handshake.
- Packets – Total WiFi packets stored in PCAP format.
- Crackable – Number of complete handshakes that contain enough data for offline cracking.
Handshake progress is tracked per AP, showing which of the four EAPOL messages (M1, M2, M3, M4) have been captured for each network.
After Capture
- Save – Captured data is saved to your EAPOL History with a name and timestamp.
- Browse history – Navigate to EAPOL History (accessible from the toolbar) to review all past captures.
- Export as PCAP – Share the capture as a standard PCAP file for use with:
- Hashcat – For GPU-accelerated password cracking
- Aircrack-ng – For CPU-based password cracking
- Wireshark – For manual packet inspection
Supported Networks
EAPOL/PMKID capture works on both 2.4GHz and 5GHz WPA/WPA2 networks. Biscuit’s dual-band support means you can monitor 5GHz channels that many other capture tools miss.
Raw Packet Capture (PCAP)
Capture all WiFi packet types in promiscuous mode. This provides a complete record of wireless traffic for forensic analysis.
How to Use
- Navigate to WiFi Tools > Sniffing tab > Raw Capture
- Configure save behavior – Toggle “Save Capture” to automatically save when you stop. If auto-naming is enabled in settings, captures are saved with a timestamp name. Otherwise, you are prompted to enter a name.
- Choose channels – Select which channels to monitor:
- All – Hop across every supported 2.4GHz and 5GHz channel, spending one second on each
- Single – Lock to a specific 2.4GHz or 5GHz channel
- Custom – Enter your own comma-separated list (e.g.,
1,6,11,36). Spends one second on each channel before moving to the next. Invalid channel numbers are ignored.
- Optional: Enable SD card storage – On Biscuit Ultra with an SD card, toggle “SD Card Storage” to capture directly to the card. This is recommended for longer sessions since SD storage is not limited by BLE bandwidth.
- Tap Start to begin capturing.
- Tap Stop when done.
Autonomous SD Capture (Ultra Only)
When SD card storage is enabled, the Biscuit Ultra continues capturing even if your phone disconnects or goes out of range. This lets you start a long capture session, walk away, and come back later.
- The device keeps writing packets to the SD card until you explicitly stop or the battery runs out.
- When you reconnect with the app, it automatically detects the running capture and shows the live capture screen with updated statistics.
- To stop an autonomous capture, reconnect and tap Stop as usual.
What You See During Capture
Frame statistics are displayed in real-time, broken down by type:
- Management Frames – Beacons, probes, authentication, and deauth frames
- Control Frames – ACK, RTS/CTS, and other protocol control frames
- Data Frames – Actual data packets between clients and APs
The PCAP Capture section shows:
- Packets Captured – Total packets written to the PCAP buffer
- Packets Skipped – Packets lost due to BLE bandwidth limits (shown only if nonzero)
- Data Received – Total data volume in bytes, KB, or MB
- RSSI Range – The weakest and strongest signal strengths seen
SD Card vs. BLE Capture
| BLE (Standard) | SD Card (Ultra/DIY) | |
|---|---|---|
| Storage | Streamed to phone via Bluetooth | Written directly to SD card |
| Session length | Limited by BLE bandwidth | Limited only by SD card space and battery |
| Packet loss | Some packets may be skipped under heavy traffic | Minimal packet loss |
| Phone required | Must stay connected | Captures survive phone disconnect |
| Export | Share PCAP directly from the app | Transfer SD card to computer |
After Capture
- Save – Captures are stored in your capture history with name and timestamp.
- Share – Export as standard PCAP files for analysis in Wireshark or other packet analyzers.
- Browse history – Access past captures from the History button in the toolbar.
Channel Analyzer
Monitor WiFi channel activity in real-time to understand which channels are busy and which are quiet. This is useful for finding the least congested channel for your own network or for understanding the wireless landscape in an area.
Monitor Tab
Watch a single channel’s activity in real-time.
- Navigate to WiFi Tools > Sniffing tab > Channel Analyzer
- The Monitor tab is selected by default.
- Set the channel number you want to monitor.
- Tap Start to begin monitoring.
What you see:
- Activity Gauge – A visual gauge showing current packets per second (PPS) on the selected channel.
- Activity Level – A label indicating the current congestion level:
- Idle – 0 PPS, no activity detected
- Low – 1-500 PPS, minimal traffic
- Medium – 501-1,500 PPS, moderate traffic
- High – 1,501-3,000 PPS, heavy traffic, may experience interference
- Extreme – 3,000+ PPS, very congested
- Activity History Graph – A rolling chart showing the last 60 seconds of activity, so you can see trends and spikes.
Compare Tab
Sweep across multiple channels to compare their activity levels side by side.
- Switch to the Compare tab.
- Select a channel set:
- Common 2.4GHz – The standard non-overlapping channels (1, 6, 11)
- All 2.4GHz – All 2.4GHz channels
- 5GHz – Common 5GHz channels
- Custom – Define your own set of channels
- Set sweep duration – How many seconds to spend monitoring each channel before moving to the next. Longer durations give more accurate readings but take more time to complete the sweep.
- Tap Start Sweep to begin.
What you see:
- Progress indicator – Shows which channel is currently being monitored and a countdown timer.
- Results bar chart – As each channel completes, its activity level appears as a bar in a comparative chart. Taller bars indicate busier channels.
- Tap to monitor – After the sweep completes, tap any channel bar to jump directly to the Monitor tab and start watching that channel in real-time.
Tips
- Run a channel comparison before setting up your own WiFi network to pick the least congested channel.
- In dense environments (apartments, offices), channels 1, 6, and 11 on 2.4GHz are typically the busiest since they are the standard non-overlapping channels.
- 5GHz channels generally have less congestion but shorter range.