Mobile Network Packet Analyzer for Kali NetHunter
A professional-grade mobile network security analysis platform for penetration testers, network administrators, and cybersecurity professionals.
Installation β’ Features β’ Architecture β’ Usage β’ Troubleshooting
AndroNet brings Wireshark-class packet analysis natively to Android. Built for integration with Kali NetHunter, it delivers real-time network monitoring, deep packet inspection (DPI), and adaptive anomaly detection β running efficiently on mobile hardware, with or without root.
Mobile security professionals have long lacked a native, Wireshark-like packet analysis tool for Android that integrates cleanly with Kali NetHunter. AndroNet closes that gap: real-time monitoring, deep packet inspection, and anomaly detection, without breaking the device's internet connectivity or requiring a desktop tether.
- Penetration testers using Kali NetHunter
- Network administrators monitoring mobile networks
- Cybersecurity researchers conducting traffic analysis
- Students learning network security concepts
- Security operations teams performing incident response
| Challenge | Solution |
|---|---|
| Packet capture on mobile | Full capture without breaking internet connectivity |
| Deep inspection | Application-layer analysis (HTTP, DNS, TLS, DHCP) |
| Root fragmentation | Dual-mode operation β libpcap (rooted) or VPN (unrooted) |
| Real-time visibility | Live traffic statistics and anomaly detection |
| Forensic handoff | Standard PCAP export for Wireshark |
- Dual-mode packet capture
- VPN mode (unrooted): zero-setup capture via Android VPN API + zdtun
- Libpcap mode (Kali NetHunter): native libpcap integration for full, Wireshark-like inspection
- Bidirectional traffic monitoring β inbound and outbound
- Zero packet loss, full internet connectivity maintained throughout
- All major protocols: TCP, UDP, ICMP, ARP, and more
| HTTP/HTTPS | Request methods, URI/path extraction, response codes, headers (Host, User-Agent, Cookie, Content-Type), TLS handshake detection |
| DNS | Query/response typing, domain extraction, record types (A, AAAA, CNAME, MX, TXT, PTR, SRV), response codes, transaction tracking |
| TLS/SSL | Protocol versions (1.0β1.3, SSL 3.0), handshake types (ClientHello, ServerHello, Certificate), content types |
| DHCP | Message types, IP assignments (client/server/gateway), transaction IDs |
Five real-time detection algorithms, each with adaptive baselines rather than static thresholds:
| Detector | Trigger | Severity |
|---|---|---|
| Port Scan | 20+ ports probed within 10 seconds (adaptive) | High |
| SYN Flood | 100+ SYN packets/sec (adaptive) | Critical |
| Connection Flooding | 50+ new connections/sec (adaptive) | High |
| DNS Tunneling | Excessive queries, abnormally long domain names | Medium |
| ARP Spoofing | Unexpected IP-to-MAC mapping changes | Critical |
Alerts surface instantly as in-app SnackBar notifications with severity, type, source IP, and description.
Adaptive threshold engine:
- 60-second calibration window on capture start (no false alerts during warm-up)
- Baselines derived from the 90th percentile of observed traffic β resistant to outlier spikes
- Exponential moving average (Ξ± = 0.05) keeps baselines current as traffic patterns evolve
- Hard floor values block baseline-poisoning (an attacker slowly training thresholds upward)
- A 4Γ ceiling multiplier prevents thresholds from drifting high enough to miss real attacks
- Live threshold values visible under Settings β Adaptive Thresholds
- Status indicator shows amber (calibrating, with countdown) or green (actively monitoring)
Entropy-based covert channel detection (Shannon entropy on every payload β₯ 64 bytes):
| Signal | Threshold | Detects |
|---|---|---|
| DNS query entropy | > 6.2 | dnscat2, iodine tunneling |
| ICMP payload entropy | > 6.0 | icmptunnel, ptunnel covert channels |
| HTTP/plain-protocol entropy | > 7.6 | Data exfiltration |
| Suspicious encoding | 7.2β7.6 | Flagged at medium severity |
Entropy score is displayed as a live badge (E:x.x) on each packet in the capture UI.
False-positive mitigations: 30-second per-source cooldown after an alert, a 5-packet consecutive-hit requirement (3 for DNS), a magic-byte pre-filter for common compressed/media formats (JPEG, PNG, ZIP, GZIP, BZ2, XZ, RAR, 7ZIP, MP4, WebM), and an allowlist for legitimately high-entropy protocols (TLS, QUIC, HTTPS, SSL, DTLS, WireGuard, IPSec, SSH, SFTP, FTPS, SMTPS, IMAPS, POP3S, DoT, DoH, SRTP, ZRTP).
- Real-time packets/sec, bytes/sec, and active connection counts
- Protocol distribution charts and top-talkers by volume
- 60-second rolling bandwidth graph
- Standard, Wireshark-compatible libpcap format
- Microsecond timestamp precision
- Saved to
/sdcard/Download/AndroNet/ - Fully compatible with Wireshark, tcpdump, and tshark
Recognizes 65+ application protocols, including HTTPS, DNS, SSH, FTP, SMTP, MySQL, PostgreSQL, MongoDB, Redis, SIP, RDP, and VNC.
- 16 predefined, color-coded filters: ALL, HTTP, HTTPS, DNS, TCP, UDP, TLS, QUIC, ICMP, DHCP, ARP, SSH, FTP, SMTP, POP3, IMAP
- Live packet counts per filter (e.g.
HTTP (25)) - Filters adapt to observed traffic and match on both transport and application layers
- Enriched DPI detail inline β HTTP URLs/methods/status, DNS queries, TLS SNI, DHCP message types
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Flutter UI Layer β
β Packet List Display β Statistics Dashboard β Anomaly Alerts β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ-ββ
β EventChannel / MethodChannel
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ-ββ
β MainActivity.kt β
β Root detection & mode selection Β· Method handlers β
β EventChannel setup for packet streaming β
βββββββββββββββββ¬ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββ
βΌ βΌ
βββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββ
β ZdtunVpnService.kt β β NetHunterService.kt β
β (VPN Mode) β β (Libpcap Mode) β
β TUN mgmt Β· parsing β β Libpcap integration β
β 65+ protocol detection β β Raw capture, all interfaces β
ββββββββββββββ¬βββββββββββββ βββββββββββββββββ¬ββββββββββββββββ
βββββββββββββββββ¬ββββββββββββββββββ
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββ
β PacketAnalysisManager.kt (Orchestrator) β
β Coordinates DPI, detection, stats, export β
βββββ¬βββββββββββ¬ββββββββββββββ¬βββββββββββ¬βββββββββ
βΌ βΌ βΌ βΌ
βββββββ βββββββββββ βββββββββββ ββββββββββ
β DPI β β Anomaly β β Traffic β β PCAP β
β β βDetector β β Stats β β Writer β
ββββ¬βββ ββββββ¬βββββ ββββββ¬βββββ βββββ¬βββββ
βββββββββββββ΄ββββββββββββββ΄βββββββββββββ
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββ
β Native Layer (C / JNI) β
β zdtun_vpn.c β libpcap_capture.c β pcap_writer.c β
βββββββββββββ¬ββββββββββββββββββββββ¬ββββββββββββββββ
βΌ βΌ
βββββββββββββ ββββββββββββββ
β zdtun β β libpcap β
β library β β library β
βββββββ¬ββββββ ββββββββ¬ββββββ
ββββββββββββ¬ββββββββββββ
βΌ
TUN / Network Interfaces
(wlan0, rmnet0, eth0, ...)
βΌ
Internet
- Go to Releases
- Download
AndroNet-vX.Y.Z-arm64.apk - Open the file on your Android device
- Enable Install from unknown sources if prompted
- Install and launch AndroNet
Requirements: Flutter 3.44.0 Β· NDK 28.2.13676358 Β· Java 17
git clone --recurse-submodules https://github.com/amibhai/AndroNet.git
cd AndroNet
flutter pub get
flutter build apk --release --split-per-abi --target-platform android-arm64Output: build/app/outputs/flutter-apk/app-arm64-v8a-release.apk
# Windows
scripts/tag-release.ps1 1.0.0
# Linux/Mac
./scripts/tag-release.sh 1.0.0| Component | Version |
|---|---|
| Flutter | 3.44.0 stable |
| Dart SDK | 3.8.1+ |
| Android Gradle Plugin | 8.7.3 |
| Gradle Wrapper | 8.10.2 |
| Kotlin | 2.1.0 |
| NDK | 28.2.13433566 |
| compileSdk / targetSdk | 36 |
| minSdk | 24 (Android 7.0) |
16KB page alignment: Android 15+ (API 35+) devices using 16KB memory pages require native libraries compiled with
-Wl,-z,max-page-size=16384and packaged withuseLegacyPackaging = false. Both flags are already applied to all.sotargets (zdtun_vpn,pcap_writer,pcap_capture).
- Flutter SDK 3.44.0+
- Android Studio with NDK 28.2.13433566
- CMake 3.22.1+
- Kali NetHunter (optional β required only for libpcap mode)
- Launch the app and grant VPN permission
- Tap Start Capture
- Internet connectivity continues normally while capturing
- Root access is detected automatically
- Select a network interface
- Tap Start Capture for full, Wireshark-like inspection
- Tap Export PCAP during capture
- Files save to
/sdcard/Download/AndroNet/ - Open directly in Wireshark for further analysis
| Metric | VPN Mode | Libpcap Mode |
|---|---|---|
| Packet rate | 500β800 pps | 1000+ pps |
| CPU usage | 10β15% | 8β12% |
| RAM usage | 60β80 MB | 50β70 MB |
| Packet loss | 0% | 0% |
| Layer | Technology |
|---|---|
| UI | Flutter 3.32.8, Dart 3.8.1 |
| Service | Kotlin 1.8, Coroutines |
| Native | C (JNI), CMake 3.22.1 |
| VPN Engine | zdtun |
| Capture | libpcap (Kali NetHunter) |
# Save the last crash log from a connected device
.\scripts\get-crash-log.ps1
# Stream live logs
.\scripts\get-crash-log.ps1 -Live| Symptom | Fix |
|---|---|
INSTALL_FAILED_NO_MATCHING_ABIS |
Use the matching APK: app-arm64-v8a-release.apk (64-bit) or app-armeabi-v7a-release.apk (32-bit) |
INSTALL_FAILED_UPDATE_INCOMPATIBLE |
Uninstall the existing build: adb uninstall com.example.packet_analyzer |
| App not appearing after sideload | Enable "Install from unknown sources" for your file manager app |
INSTALL_PARSE_FAILED_NO_CERTIFICATES |
APK wasn't signed β build with flutter build apk, not a raw assemble |
Run .\scripts\get-crash-log.ps1 and check for FATAL EXCEPTION or AndroidRuntime.
UnsatisfiedLinkErrorβ native.somissing for your ABI; download the correct APK variantClassNotFoundExceptionβ MultiDex not initialized; ensureminSdkVersion β₯ 23and reinstall cleanly- Flutter rendering crash β look for
ANDRONET FLUTTER ERRORin the log
- Grant VPN permission when prompted; if the dialog never appears, enable it manually under Settings β VPN β AndroNet
- Tap Start only once β the button greys out ("Waitβ¦") while the VPN negotiates
- If capture starts then immediately stops:
adb logcat | grep -E "ZdtunVpn|CaptureService|onCaptureError"
adb logcat | grep -E "ZdtunVpn|CaptureService|AndroNet"- Look for
startForegroundβ if missing, the OS killed the service; update to the latest build - Confirm the tunnel is active: Settings β Network β VPN should show "AndroNet VPN Active"
- Restart the app β the service recovers automatically on next launch
# On-device, requires root
su -c "id" # must return uid=0
su -c "apt install -y libpcap-dev" # Kali NetHunter only- If root detection fails, some Magisk configurations hide root from apps β grant root to AndroNet explicitly in the Magisk app manager
- After installing libpcap, rebuild from source so CMake picks it up
Confirm you're on build β₯ 1.0 (16KB page-size alignment applied). If building yourself, verify useLegacyPackaging = false in build.gradle and that android:extractNativeLibs is absent from AndroidManifest.xml.
adb bugreport bug-report.zipAttach bug-report.zip when opening a GitHub issue.
- Kernel-level capture path for rooted devices, reducing capture overhead below current libpcap-mode figures
- Expanded anomaly-detection benchmarking (labeled traffic dataset, precision/recall reporting)
- Cross-device portability testing across the NetHunter-supported device matrix
- Historical session storage and diffing between captures
| Name |
|---|
| Ritik |
| Syed Misbah Uddin |
| Kamal Akhter |
| Swastik |
Contributions are welcome. Please fork the repository, create a feature branch, and open a pull request with a clear description of the change and testing performed. For larger changes, open an issue first to discuss the approach.
- PCAPdroid β inspiration for the zdtun integration approach
- zdtun β packet tunneling library by @emanuele-f
- libpcap β the packet capture standard
- Wireshark β protocol reference
- Kali NetHunter β target platform
MIT License β see LICENSE for details.