Home > Features > WiFi Scanning

WiFi Scanning

Biscuit provides a comprehensive set of WiFi scanning and sniffing tools for discovering networks, clients, and specialized devices in your environment. All scanning modes are found under WiFi Tools in the app.


Scan Access Points

Discover nearby WiFi access points (routers, hotspots, and other broadcasting devices).

How to start: WiFi Tools > Sniffing tab > Scan Access Points

What you see: A scrollable list of detected networks. Each entry shows:

  • SSID – The network name (or “Hidden” if the AP does not broadcast its name)
  • BSSID – The MAC address of the access point
  • Channel – The WiFi channel the AP operates on (2.4GHz channels 1-14 or 5GHz channels)
  • RSSI – Signal strength in dBm (closer to 0 is stronger)
  • Security – Encryption type (Open, WEP, WPA, WPA2, WPA3)

You can filter results by signal strength, frequency band (2.4GHz or 5GHz), security type, and search by name or MAC address. Tap any AP to select it for use in attacks such as Deauth or Beacon Spam.

Tips:

  • Signal strength is color-coded: green for strong, yellow for fair, red for weak.
  • Selected APs persist across screens, so you can scan first and then navigate to an attack screen with your targets already chosen.

Scan Stations

Discover WiFi client devices (phones, laptops, IoT devices) that are connected to nearby networks.

How to start: WiFi Tools > Sniffing tab > Scan Stations

What you see: A list of detected client devices. Each entry shows:

  • Client MAC – The MAC address of the client device
  • Connected AP – The BSSID of the access point the client is associated with
  • Channel – The channel the client is communicating on
  • RSSI – Signal strength of the client

You can filter by signal strength and search by MAC address or associated AP. Tap any station to select it for targeted attacks such as Deauth or Bad Message.

Tips:

  • Station scanning is useful for identifying specific devices on a network before running targeted attacks.
  • The vendor name is displayed below the MAC address when the manufacturer can be identified from the OUI database.

Scan All

Run a combined AP and station scan in a single view. This discovers both access points and connected clients simultaneously, giving you a complete picture of the wireless environment.

How to start: WiFi Tools > Sniffing tab > Scan All

What you see: The same information as Scan AP and Scan Station, presented together. APs and their associated stations are shown so you can see which clients belong to which networks.

Tips:

  • This is the most efficient way to get a comprehensive view of nearby wireless activity before deciding on next steps.

Beacon Sniff

Continuously monitor WiFi beacon frames broadcast by access points. Unlike a one-time AP scan, beacon sniffing runs continuously and shows every beacon frame as it arrives.

How to start: WiFi Tools > Sniffing tab > Beacon Frames

What you see: A real-time feed of beacon frames with live statistics:

  • Beacons – Total number of beacon frames captured
  • Unique – Number of unique access points (by BSSID)
  • Channels – Number of different channels detected

Each beacon entry shows the SSID (or “Hidden”), BSSID, channel, signal strength, and security type.

Tips:

  • Beacon sniffing is useful for observing how frequently APs broadcast and for identifying hidden networks that do not appear in standard scans.
  • Tap the trash icon in the toolbar to clear captured beacons and start fresh.

Probe Sniff

Capture probe request frames sent by WiFi devices searching for networks. Probe requests reveal what networks a device has previously connected to, since devices actively ask for known networks by name.

How to start: WiFi Tools > Sniffing tab > Probe Requests

What you see: A real-time feed of probe requests with live statistics:

  • Probes – Total probe request frames captured
  • Clients – Number of unique client devices (by MAC address)
  • SSIDs – Number of different network names being requested

Each entry shows the requesting device’s MAC address, the SSID it is probing for (or “Broadcast” if it is a general probe), the channel, and signal strength.

Tips:

  • Probe sniffing can reveal a device’s network history. For example, a phone probing for “Hotel_WiFi” and “Airport_Free” tells you about the owner’s travel patterns.
  • This data feeds directly into the Karma Attack, which creates fake APs matching the probed SSIDs.

Deauth Sniff

Detect deauthentication and disassociation frames in the air. These frames are used legitimately by networks but are also the basis of deauth attacks. This mode helps you identify if someone is actively attacking nearby networks.

How to start: WiFi Tools > Sniffing tab > Deauth Frames

What you see: A real-time feed of deauth/disassociation frames with live statistics:

  • Deauths – Total deauth and disassociation frames detected
  • Sources – Number of unique source MAC addresses sending deauth frames
  • APs – Number of unique access points (BSSIDs) involved

Each entry shows the source MAC, destination MAC (or “Broadcast”), associated AP BSSID, channel, frame type, and signal strength. Broadcast deauth frames are highlighted in red as they indicate indiscriminate attacks.

Filtering: When results are present, you can search by MAC address or BSSID and toggle a “Broadcast Only” filter to focus on the most aggressive attack patterns.

Attack pattern detection: When a single source sends more than 10 deauth frames, an attack pattern indicator appears, warning you that an active deauth attack is likely in progress.

Tips:

  • Use this to audit whether your own network is being targeted by deauth attacks.
  • A high number of broadcast deauth frames from a single source is a strong indicator of an active attack.

Pwnagotchi Detection

Detect Pwnagotchi devices in the area. Pwnagotchis are AI-powered WiFi audit tools that autonomously capture WPA handshakes and advertise their presence and statistics through custom beacon frames.

How to start: WiFi Tools > Sniffing tab > Pwnagotchi

What you see: A list of detected Pwnagotchi devices with live statistics:

  • Total Pwnd – Combined count of handshakes captured by all detected Pwnagotchis
  • Channels – Number of WiFi channels where Pwnagotchis are active

Each entry shows the Pwnagotchi’s name, MAC address, signal strength, channel, and how many networks it has captured handshakes from.

Tips:

  • Pwnagotchis broadcast their name and capture stats in their SSID beacons, which is how Biscuit identifies them.
  • Detecting a Pwnagotchi nearby means someone is passively (or actively) collecting WPA handshakes in the area.

WiFi Pineapple Detection

Detect WiFi Pineapple rogue access point devices. Pineapples are penetration testing tools that create fake access points to perform man-in-the-middle attacks.

How to start: WiFi Tools > Sniffing tab > WiFi Pineapple

What you see: A list of suspected Pineapple devices with live statistics:

  • Detected – Number of suspected Pineapple devices
  • Channels – WiFi channels where suspected devices are broadcasting
  • Types – Number of different detection methods that triggered

Each entry shows the device’s SSID, BSSID, signal strength, channel, and the detection method used (MAC address OUI pattern, suspicious SSID behavior, or abnormal beacon characteristics).

Tips:

  • Detection is based on known MAC address OUI patterns, suspicious SSIDs, and beacon behaviors typical of Pineapple hardware.
  • A detection does not guarantee the device is a Pineapple – it indicates the device matches known signatures and warrants investigation.

Espressif Device Detection

Detect devices built on Espressif chips (ESP32, ESP8266, and related modules) by matching their MAC address against Espressif’s manufacturer OUI (Organizationally Unique Identifier) prefixes.

How to start: WiFi Tools > Sniffing tab (this mode is accessible from the sniffing options)

What you see: A list of detected Espressif-based devices showing their MAC address, signal strength, and channel.

Tips:

  • Many IoT devices, development boards, and security research tools (including other Biscuit devices) use Espressif chips.
  • This is useful for identifying potentially interesting devices in an environment, as many custom and DIY hardware projects are ESP-based.

Packet Count

Monitor real-time statistics showing the volume and types of WiFi frames in the air. This is part of the Raw Capture feature and gives you a high-level picture of wireless activity without needing to analyze individual packets.

How to start: WiFi Tools > Sniffing tab > Raw Capture (the frame statistics are displayed on this screen)

What you see: Real-time counters broken down by frame type:

  • Management Frames – Total management frames, with sub-counts for beacons, probes, and deauths
  • Control Frames – ACK, RTS/CTS, and other protocol control frames
  • Data Frames – Actual data transmission packets between clients and APs
  • Total Packets – Overall packet count across all types

The PCAP Capture section additionally shows packets captured, data received (in bytes/KB/MB), and RSSI range of captured packets.

Tips:

  • A high ratio of management frames to data frames may indicate a noisy environment with many APs but little actual data traffic.
  • Watching the deauth sub-count can quickly reveal if someone is running deauth attacks nearby.
  • EAPOL frames (WPA handshakes) are tracked separately when using the dedicated EAPOL/PMKID Sniff mode.