English | 简体中文

Android PCAP viewer. Read-only — capture is delegated to PCAPdroid.

Capture goes to mature tools like PCAPdroid; PacketScope renders the captured traffic in a Wireshark-style three-pane layout (frame list / protocol tree / hex) on Android.

• vs Wireshark / Termshark: the desktop build won't run on Android, and a terminal TUI is awkward on a phone. PacketScope is a native Compose UI designed for phone screens.
• vs PCAPdroid alone: PCAPdroid focuses on capture; its built-in viewer is lightweight. PacketScope is dedicated to Wireshark-style protocol tree + byte highlighting + filter expressions + Follow Stream analysis.
• vs copy PCAP off to a desktop: capture on phone, analyze on phone — no device switching.

English by default. Simplified Chinese is auto-selected when the system locale is zh-*.

Open file	Frame list (live)	Frame detail

Filter syntax	Conversations

Captured on a real device against Termux's python -m http.server as the demo traffic source. Private IPs in the frame detail / conversation screens are redacted.

Download PacketScope-<version>-release.apk from Releases and enable "Install from unknown sources". F-Droid repository inclusion is planned.

Shipped:

• PCAP parsing: classic PCAP across four magic variants (LE/BE × micro/nano), Ethernet / Linux SLL v1+v2 / Raw IP (PCAPng not yet supported; the magic is recognized and a clear error is shown)
• Protocol dissection: IPv4 / IPv6 / ICMP / ICMPv6 / TCP / UDP / DNS / HTTP / TLS (with SNI) / QUIC long header; non-default ports fall back to per-dissector self-probes
• Three-pane view: frame list + protocol tree + hex with two-way highlighting (tap a field, the corresponding bytes light up)
• Filter expressions: tcp / host / port / sni / http.host / http.path / http.method / url / dns.name / app / text plus and/or/not with parentheses; file mode precomputes a FilterIndex so 10k+ packets stay responsive
• TCP session analysis: relative seq/ack, retransmission / out-of-order / duplicate ACK flagging
• TCP reassembly + HTTP body parsing: cross-segment HTTP request / response with Content-Length, chunked Transfer-Encoding, automatic gzip / deflate decompression
• TLS decryption (when an SSLKEYLOGFILE is provided):
  • TLS 1.2 AES-128/256-GCM and ChaCha20-Poly1305 (RFC 5288 / RFC 7905)
  • TLS 1.3 AES-128/256-GCM and ChaCha20-Poly1305 (RFC 8446)
• QUIC v1 Initial decryption: payload + CRYPTO frame extraction (RFC 9001 §5.2, no keylog needed)
• PCAPdroid live ingestion: UDP Exporter listener + ForegroundService
  • post-launch linkType heuristics
• PCAPdroid extensions: dump_extensions trailer parsing (uid / appname + CRC32)
• External intent integration: open via PCAPdroid share (ACTION_SEND application/cap), file manager, or .pcap association
• Large files: mmap-based reader with true lazy Frame.data (zero-copy views over the mapped buffer); file size limit up to 1 GB

1. Share from PCAPdroid: after PCAPdroid finishes capturing, long-press the exported PCAP → Share → choose PacketScope
2. PCAPdroid live stream: in PacketScope, enter a port (default 1234) and start listening; configure PCAPdroid's UDP Exporter to 127.0.0.1:1234
3. From a file manager: tap a .pcap file in your file app → choose PacketScope in the system "Open with" dialog
4. Manual open: launch PacketScope → "Open PCAP file" → pick via SAF
5. TLS decryption: load an SSLKEYLOGFILE containing CLIENT_TRAFFIC_SECRET_0 / SERVER_TRAFFIC_SECRET_0 (TLS 1.3) or CLIENT_RANDOM (TLS 1.2) via the "Load keylog" entry; decrypted payload attaches to each matching TLS layer

Project rule: never build directly on the host. Use Docker:

docker run --rm \
  -u "$(id -u):$(id -g)" \
  -v "$PWD":/work -w /work \
  -v "$HOME/.gradle-docker":/work/.gradle-cache \
  -e GRADLE_USER_HOME=/work/.gradle-cache \
  mingc/android-build-box:latest \
  ./gradlew assembleDebug

Key flags:

• -u "$(id -u):$(id -g)" — runs the container as your host user so .gradle/ / app/build/ are not produced root-owned and tripping up the next ./gradlew clean.
• GRADLE_USER_HOME points to a host-writable directory (~/.gradle-docker here) so the dependency cache is reused across builds. The container's home is not /root, so Gradle's default ~/.gradle would fail.

Roborazzi screenshot baseline:

docker run --rm \
  -u "$(id -u):$(id -g)" \
  -v "$PWD":/work -w /work \
  -v "$HOME/.gradle-docker":/work/.gradle-cache \
  -e GRADLE_USER_HOME=/work/.gradle-cache \
  mingc/android-build-box:latest \
  ./gradlew recordRoborazziDebug

CI uses verifyRoborazziDebug to compare against the baseline in app/build/outputs/roborazzi/*.png.

Run before opening a PR:

./gradlew :app:lintDebug detekt :app:testDebugUnitTest checkVersionAlignment

• lintDebug — Android lint, resource / API level / i18n checks (baseline at app/lint-baseline.xml)
• detekt — Kotlin static analysis (baseline at config/detekt/detekt-baseline.xml)
• checkVersionAlignment — verifies app/build.gradle.kts versionName matches the README "Current status: vX.Y.Z" line (review v0.6-round3 F-006)

Existing baseline entries are debt to be drawn down incrementally; new violations fail the build.

See ARCHITECTURE.md §Static analysis and the CONTRIBUTING.md pre-submit checklist for detail.

• PCAPdroid — open-source no-root packet capture on Android. PacketScope's design goal is to directly consume PCAPdroid's exported .pcap / .pcapng files and integrate with its UDP Exporter API for live capture.

File at GitHub Issues.

MIT License © 2026 Seryta

Third-party dependency license summary: THIRD_PARTY_LICENSES.md.

Privacy policy: PRIVACY.md. Raw URL for store submission: https://raw.githubusercontent.com/Seryta/PacketScope/master/PRIVACY.md