Wicap 2 Pro is one of the few mobile sniffers that actually works, not just a pretty interface. But without proper configuration, it turns into a useless toy that either doesn't capture anything or crashes Android.
I've scoured all the forums, tried different versions, crashed the system five times, and now I know how to get Wicap 2 Pro working to its full potential, which filters are really necessary, where the ARP spoofing traps are hiding, and why it's completely useless without root.
Part 1: What is Wicap 2 Pro and why you need it on your phone
Wicap 2 Pro is a network traffic sniffer for Android. It can:
capture packets from Wi-Fi and the mobile interface;
save them to a standard .pcap file (readable by Wireshark);
filter by BPF rules;
If you have root, enable promiscuous mode and even ARP spoofing;
In theory, decrypt SSL/TLS (but there are some nuances).
Who needs this:
Developers — to detect what requests their app is sending;
Penetrator — to quickly see what's flying through the air on the local network;
Admins — to check for suspicious activity on their Wi-Fi;
Curious users — to understand what data apps are leaking on their phone.
But: without root, you'll only see your own traffic, and that's not guaranteed. Starting with Android 7, Google tightened the screws: apps can't just poke around in network interfaces. So if you don't have a rooted phone, you don't need to read any further.
Part 2: Installation — Where to get it and what to download
Google Play: Wicap 2 Pro isn't there. It's too powerful a tool for the masses; politics won't allow it.
Where to look:
4pda is a classic. It has versions 1.0–2.0, but for different Android devices.
GitHub has rare forks.
Telegram channels, but they have 50% of the drivers.
What version do you need? If you have Android 10+, get version 2.0 or higher. On older devices (5.0–8.0), 1.x will work, but it has less functionality.
Important: Wicap 2 Pro is a paid version (around 10–15 bucks). If you download the cracked version from the forum, be prepared for the following:
It may not work with root on newer Android devices;
It may be infected with a Trojan;
It will crash every 5 minutes.
I tested the original—it works reliably, but you need to purchase it through the developer's website because Google Play cuts payments for "hacker software" in some countries.
Part 3: Rooting—How to Grant and Verify
Before Launching Wicap:
1. Make sure rooting works. Install Root Checker.
2. If you're using Magisk, go to Magisk settings and check that Wicap 2 Pro is on the list of allowed apps.
3. Some ROMs (MIUI, EMUI) can also restrict root access through built-in optimizations. You'll have to dig into battery settings and permissions.
When you first launch Wicap, you'll be prompted for root access. Click "Allow" and check "Remember forever." If you're not prompted, restart the app.
Part 4: Choosing the Interface—the Most Important Step
There's an Interface drop-down on the main screen. What you select there determines what traffic you see.
wlan0 — Wi-Fi module.
This is usually the primary one. If your phone is connected to Wi-Fi, select this. The name may vary (wlan0, wifi0, wlx, etc.). If you don't know which one, open the terminal and enter ip link show — it will show all interfaces.
rmnet0 / ccmni0 — mobile data (3G/4G/5G).
The name depends on the chipset (Qualcomm, MediaTek, Exynos). Intercepting mobile data traffic is more difficult because the interface may appear and disappear when switching between towers. Plus, root access is required, which some firmware versions don't allow for system interfaces.
lo — localhost.
Traffic within the phone itself. Useless for external analysis, but sometimes needed for debugging.
any — all interfaces at once.
Convenient if you don't want to mess around, but you'll end up with a lot of noise and huge files.
Tip: never select any on your first run. Start with a specific interface, check that packets are being captured, and then experiment.
Part 5: Promiscuous Mode — Myths and Reality on Android
Promiscuous Mode is a mode in which the network card captures all packets passing through it, even those not addressed to your device. In theory, this allows you to see the traffic of other computers on the same Wi-Fi network.
In practice with Android:
Most integrated Wi-Fi chips do not support promiscuous mode at the driver level.
Even if the chip does support it, the firmware manufacturer may have disabled this feature in the kernel.
Sometimes promiscuous mode is enabled, but packets still don't arrive — driver bugs.
How to check if it's working:
1. Enable Promiscuous Mode in Wicap.
2. Start capturing.
3. Ping your phone from another device (or vice versa).
4. Check to see if other devices' packets are visible.
If only your own are visible, the mode isn't working. If you can see someone else's traffic, you're lucky, but that's rare.
The real way to see someone else's traffic on Android is ARP spoofing. More on that below.
Part 6: Monitor Mode – Something You Can Only Dream About
Monitor Mode allows you to see all Wi-Fi packets in range, even without a network connection. This is the level of professional Wi-Fi analysis (like Aircrack-ng on a PC).
Monitor Mode doesn't work on 99.9% of Android devices. Reasons:
· A special driver with monitor mode support is required;
· Android doesn't provide an API for enabling this mode from userspace;
· Even rooted phones usually have kernels compiled without this option.
Exceptions:
· Nexus 5, Nexus 6 with custom kernels.
· Some devices with Broadcom chipsets with patched drivers.
· External Wi-Fi adapters via OTG (also rare).
Unless you have a Nexus or custom firmware, forget about Monitor Mode in Wicap. It's not a bug, it's the architecture.
Part 7: BPF Filters – How to Avoid Drowning in Garbage
Wicap uses standard BPF filters (the same ones used in tcpdump and Wireshark). Without them, the capture turns into a multi-megabyte mess where nothing can be found.
The main filters that are always needed:
```
host 192.168.1.100
```
Show traffic only from this IP.
```
port 80 or port 443
```
HTTP/HTTPS only.
```
tcp
```
TCP only (main transport).
```
udp
```
UDP only (DNS, DHCP, VoIP).
```
not arp
```
Trim ARP service garbage.
```
host 192.168.1.100 and port 443
```
Combined: HTTPS traffic from a specific host.
```
src net 192.168.1.0/24
```
All packets originating from the subnet.
```
dst port 53
```
DNS requests only (useful for tracking down where an application is accessing data).
Where to enter: On the Wicap main screen, there's a Filter field. Enter a rule there, click Apply (sometimes Start), and the filter is applied to the capture.
Important: The filter works during the capture, not afterward. If you want to change filters during the capture, you'll have to stop the capture, change the rule, and restart it.
Part 8: Application Filters - Filtering by Application
This is a Wicap feature that tcpdump on a PC doesn't have. You can select a specific application and view only its traffic.
How it works:
1. Click the Apps button on the main screen.
2. A list of all installed applications appears.
3. Check the boxes next to the ones you're interested in.
4. Start the capture.
Under the hood: Wicap determines which application owns a socket and filters packets based on this. This is much more convenient than guessing based on IP addresses and ports, as modern applications can have floating IP addresses.
Limitation: It only works for your device's traffic. Other devices' packets can't be filtered this way, as they don't contain application information.
Part 9: ARP Spoofing – How to Intercept Other Devices' Traffic on a Local Network
If promiscuous mode doesn't work (and it most likely doesn't), the only way to see the traffic of other devices on your Wi-Fi network is ARP spoofing.
The method involves your phone sending fake ARP packets, convincing the victim and the router that it is the router for the victim and the victim for the router. As a result, all of the victim's traffic goes through your phone. You intercept it (using Wicap) and then forward it further (to the router or the victim) to maintain the connection.
How to set up in Wicap:
1. Enable ARP Spoofing in the settings or on the main screen.
2. Specify the target IP—the victim's IP.
3. Specify the gateway IP—the router's IP (usually 192.168.1.1 or 192.168.0.1).
4. Start the capture.
Important:
Your phone must be on the same network as the victim.
Root is required.
Some networks are protected from ARP spoofing (Dynamic ARP Inspection on managed switches). Home networks usually aren't.
The victim's internet speed will drop because the traffic is routed through an additional link.
Traffic can be viewed and even modified (but Wicap doesn't do this).
Ethics: Using ARP spoofing without the network owner's permission is illegal in most countries. This is not a warning, but a fact. Test only on your own devices.
Part 10: SSL Decryption - HTTPS Decryption
Wicap can decrypt HTTPS traffic by acting as a MITM proxy.
How to set it up:
1. Enable SSL Decryption in Wicap's settings.
2. The app generates its own root certificate.
3. You must install this certificate as a trusted certificate in the system.
· On Android 7+, the user certificate doesn't work for system apps.
· On rooted devices, you can move the certificate to the system storage (/system/etc/security/cacerts/ folder).
4. In Wicap, you choose which apps to use decryption for (optional).
Why it's difficult:
· Certificate pinning - many apps (banks, Telegram, Instagram) store the server certificate fingerprint. If you slip in a fake certificate, the app simply won't send traffic.
On newer Androids, even with root access, things aren't perfect—Google Play Services can check the integrity of certificates.
Reality: Decryption works for simple apps and websites that don't use pinging. For everything else, it doesn't.
Part 11: Saving to PCAP and Working with Wireshark
This is the main reason to use Wicap—exporting to .pcap for further analysis on a computer.
How to save:
1. Stop the capture.
2. Wicap will prompt you to save the file.
3. Choose a name and location.
4. The file is saved in .pcap format.
Where to find files:
Wicap itself has a Files or Captures section.
In the file system: usually /storage/emulated/0/Wicap/ or /sdcard/Wicap/.
What's next:
Copy the file to your computer (via USB, FTP, or cloud).
Open it in Wireshark.
You can apply any filters, view streams, and recover files (for unencrypted transfers).
Wicap saving settings:
Max file size — the maximum size of a single file. This is useful for not running out of memory.
Ring buffer — the number of files stored in a ring. Older ones are deleted, and new ones are written.
Part 12: Common problems and their solutions
Problem: Wicap doesn't see the interface. Solution:
Check if Wi-Fi is enabled.
Check if you have root privileges.
Enter ip link show in the terminal. Check the name of your Wi-Fi interface. It might not be wlan0, but wlan1 or eth0. Try entering the name manually if Wicap doesn't see it in the list.
Problem: Capture starts, but there are 0 packets. Solution:
Reset all filters (leave the Filter field empty).
Make sure the correct interface is selected.
Generate traffic – open a browser and visit any website.
If you're using ARP spoofing, check if the target is alive.
Problem: Wicap crashes when starting capture. Solution:
Update the version.
Some libraries may be missing on Android 10+. Try version 2.0.3 or 2.1.
Clear the app cache.
Restart the phone.
Problem: Promiscuous Mode won't activate. Solution:
Resign yourself to it. This is a driver feature. Use ARP spoofing if you need to capture other people's traffic.
Problem: ARP spoofing isn't working. Solution:
Check that the target IP and gateway are correct.
Ping the target before launching to make sure it's online.
Try another method: sometimes restarting the phone's Wi-Fi helps.
Some networks (corporate ones) have ARP spoofing protection. At home, this doesn't happen.
Problem: SSL Decryption isn't decrypting. Solution:
Check that the certificate is installed correctly (and moved to the system storage, if necessary).
Check that the option is enabled in the settings.
Restart the app whose traffic you want to decrypt.
If the app uses certificate pinning, forget it—it won't work.
Part 13: Comparison with Alternatives
Tool Requires root Promiscuous ARP spoof SSL decrypt Interface
Wicap 2 Pro Yes Partial Yes Yes (difficult) GUI
tPacketCapture No No No No Simple capture
PCAPdroid Yes No No No GUI + export
Termux + tcpdump Yes Yes (if kernel) No No Console
cSploit Yes Yes (via chip) Yes No GUI, old
Conclusion: Wicap 2 Pro is one of the most functional mobile sniffers, if you have root access and are willing to tinker with the settings. In terms of features, it's closest to cSploit, but with a more modern interface and support for newer Android devices.
Part 14: Code of Ethics – Required Reading
These aren't just letters. Using Wicap 2 Pro to intercept someone else's traffic without explicit permission can lead to:
blocking your internet access by your ISP;
Losing your job if you use it at work.
And that's the best-case scenario; the worst-case scenario could be legal trouble.
Allowed:
Testing on your own devices.
Use on your own local network with the consent of all participants.
Use as part of an official contractual penetration test.
Prohibited:
Intercepting your neighbors' Wi-Fi traffic.
Sniffering on public networks without permission.
Attempt to decrypt HTTPS traffic from other people's applications.
If you bought Wicap to "hack Wi-Fi and see who's messaging whom," you've bought a one-way ticket.
Bottom Line
Wicap 2 Pro is a powerful tool, but only if configured correctly. Without root, it's useless. Without an understanding of BPF filters, you'll drown in garbage. Without ARP spoofing, you won't see other people's packets. Without preparation, you'll be disappointed.
I spent several days mastering all these nuances, and now I can say: this is the best mobile sniffer if you're handy and have a rooted phone. It's no replacement for Wireshark on a PC, but for quick capture on the go, it's ideal.
The main thing: remember that with great power comes great responsibility. Wicap 2 Pro gives you the ability to see what's flying through the air. Use this knowledge wisely, otherwise one day you'll find yourself with people in uniform coming after you.
