| Q: |
What do I need to run Pixie? |
| A: |
Pixie requires a rooted Android phone running at least Android version 2.1, with Google Marketplace. Pixie also requires some type of external storage, such as an SD card.
If you're not sure whether your device is supported, we strongly recommend you download and test the free Pixie Probe application from the Marketplace. It examines your Android device to make sure all of Pixie's components will work.
Pixie has not yet been tested on any of the upcoming Android tablets. |
| |
| Q: |
Will Pixie run on my Motorola Droid? |
| A: |
No.
Unfortunately, Pixie does not work with the wifi adapter in the Motorola Droid. The card can be put into promiscuous mode, but the firmware for the chipset (ti1271) has a rather big problem: it doesn't pass network traffic to the driver, even in promiscuous mode. We've spent countless hours patching the driver to try and get it to listen, but the firmware simply will not pass back what we want. Someone from Texas Instruments needs to update the firmware on the card itself to make it honor promiscuous mode.
This has the net effect of making Pixie "deaf" when run on such hardware. It can still hear anything sent directly to or from the phone, but it will not hear other devices talking on the network. |
| |
| Q: |
Will Pixie run on my untested phone? |
| A: |
Pixie has been heavily tested on the Nexus One and Droid Incredible. We also have customers reporting success on other phones.
Pixie should run on most any rooted Android phone, but it's possible some phones or tablets will not allow the network adapter to be put into promiscuous mode. Or the adapter might not try very hard after successfully going into promiscuous mode (we're looking at you, Droid).
Always test with Pixie Probe before buying the full version of Pixie. |
| |
| Q: |
Does Pixie need to phone home to you or pass any other identifiable information about my device? |
| A: |
No. Pixie uses Google's licensing service, which calls back to Google sometimes to validate the purchase. Pixie does not ever connect to our servers.
Pixie Probe can optionally send the result of its test data back to us, including your phone's model number and Android version. No other information is sent and the process can be easily declined when running Pixie Probe.
Pixie is quite useful, on the other hand, for finding other apps that are phoning home from your device... |
| |
| Q: |
Pixie Probe says my device is not rooted, but I think it is. What gives? |
| A: |
If Pixie Probe says that your phone is not rooted or incompatible, that could mean a few things.
Is the phone rooted?
If it's not, then you can't run Pixie. Sorry. Root your phone first.
The phone is rooted, but Pixie Probe is still mad.
Chances are, you are running on a phone we haven't tested Pixie on. If it can't find the path to your su executable, it can't enable superuser. Drop us an with some information about your particular phone: model number, current Android version, and what tools/ROM you used to root it.
If you're feeling extra-helpful, find the su executable in your phone's filesystem and let us know where it lives so we can add it to the common search locations. |
| |
| Q: |
Why does my phone need to be rooted? |
| A: |
In order to listen to network traffic, Pixie must put your phone's wifi radio into promiscuous mode. This causes the radio to listen to all network traffic, not simply packets destined for the phone.
The Android kernel requires root access to enable promiscuous mode, given the serious security implications.
Rooting an Android phone can be a very simple process or somewhat difficult, depending on the phone and the version of Android on it.
We recommend reading up on your particular phone's details carefully before attempting anything. And, of course, back up everything on your phone first, in case the instructions don't include that step. |
| |
| Q: |
What is Pixie capturing when it runs? |
| A: |
Pixie passively listens to the traffic on your phone's wifi connection. In order to start a capture, you must be connected to a wifi network: it cannot listen to 3G or EDGE data.
All network access made by other wifi-connected computers within radio range on the network will be recorded by Pixie, such as web browsing, instant messenger conversations, POP3/SMTP mail, DNS requests, BitTorrent traffic, et cetera.
Secure protocols such as https are also recorded as seen, but typically cannot be decrypted. |
| |
| Q: |
What can I do with the capture? |
| A: |
Pixie records network data in the standard pcapdump file format, allowing later analysis with a more powerful desktop tool, such as Wireshark.
Wireshark is a very feature-rich tool that has powerful searching features and is more than capable of stitching entire network sessions back together from a dump file.
In addition to recording network data, Pixie does some basic real-time analysis of the network, showing network devices it has seen with some statistical information and a trace of web requests made by the devices. For information on Pixie's live display, check out the live display section of the FAQ or browse through the manual to see it in action. |
| |
| Q: |
How do I get the capture off the phone? |
| A: |
Pixie includes a simple "Share" context option when clicking on a saved capture. This feature will ZIP the capture up, along with its GPS location and other info, and attach it to an outbound email.
Alternatively, you can simply plug the phone into a computer and enable USB Storage. Pixie's dump files will be stored in a path along the lines of:
/Android/data/com.nbl.pixie/files.
(Some phones may have that folder under /sdcard or /mnt as well.)
Each Pixie capture consists of two files: the first is the .pcapdump file that can be loaded into Wireshark, which contains the actual capture data. There is also a small matching XML file with each capture that contains some metadata about the capture: when it started, the SSID of the network, and the GPS location of the phone when the capture started. |
| |
| Q: |
How does Pixie work with secure networks? |
| A: |
When run on an open or WEP-secured network, Pixie will log data from all devices it can hear on the network. In the case of WEP, you must have the key and be on the network to record.
For WPA and WPA2 networks, Pixie will not log other devices' traffic. WPA uses a handshake when a device associates with the access point, preventing simple eavesdropping.
Note that Pixie will always record traffic to/from the phone it is running on, which can be very handy for developing network code or analyzing a mobile app to determine what it is doing on the network. |
| |
| Q: |
Can I use Pixie to crack networks or collect IV's for WEP cracking? |
| A: |
No. You must be associated and authenticated on the wireless network to run Pixie. It is not a cracking tool. |
| |
| Q: |
Can I listen on an open network if I can't (or refuse to) get past the captive portal? |
| A: |
Yes, you can listen on the network even if the captive portal is not routing your traffic for some reason. If the network gave you an IP address, you are good to go. |
| |
| Q: |
Pixie won't start, claiming some licensing issue. What's going on? |
| A: |
Pixie is distributed using Google's relatively new (as of October 2010) licensing service. We've seen it misbehave a few times, but it's pretty solid for a first effort.
If you are having problems starting Pixie because it can't check the license on your network, one simple workaround is to disable wifi and restart Pixie. Google's licensing service will check over the cellular network and cache the response. Once you see the list of captures, you can turn wifi back on and Pixie will remain happy.
If you have problems with the licensing, please so we can keep track of any problems it may be creating for our customers. |
| |
| Q: |
What does Pixie display while capturing? |
| A: |
Pixie's summary screen simply shows how many devices it has seen as well as some basic network statistics, such as how many TCP, UDP, or other packets it has seen. In addition, an estimate of the network's bandwidth usage is updated every few seconds.
During a capture or replay, you can view the list of devices that Pixie has seen, as well as any recent web requests that have gone by on the network.
Browse the manual for a more graphical view. |
| |
| Q: |
What can I see on a per-device basis? |
| A: |
Clicking a device in the Devices list will show you some detailed information that Pixie has learned about the device. This data includes the device manufacturer, IP address, current bandwidth usage, and basic traffic statistics about the device.
In addition, any web requests sent by the device will be listed. |
| |
| Q: |
What is the number in parentheses after the TCP packet count? |
| A: |
This is the number of web requests Pixie has seen from the device, or the entire network from Summary screen. When you see a number in parentheses in the Devices list, you can click the device to see its detail, including the URLs of web requests it has made.
You can also view a cross-device summary of all web requests from the Web button on the Summary screen. |
| |
| Q: |
Can I view data sent via an HTTP POST? |
| A: |
Yes. HTTP requests that contain POST data are tagged with a darker orange color. Select "View Request Detail" from the context by holding down on the request. For POST requests, you can also simply tap the request to view detail, as that is the default action.
Note that the current (1.0.0) version of Pixie only shows the data included in the first packet of the POST data. If the browser is sending up a large number of cookies, you may not be able to see all the data in Pixie's Live Display. It is, of course, being recorded and can be easily dissected off-line with Wireshark.
HTTP GET requests containing query strings (such as Google searches) appear in a pale yellow color. As a convenience, you can view the request detail to see the query string split up into name=value pairs, rather than try to decode it by looking at the URL. |
| |
| Q: |
Can I view the Live Display again for an old capture that I made? |
| A: |
Yes. Simply select "Replay" by holding down on the capture in Pixie's startup screen (or tap the capture, since Replay is the default action).
Pixie will re-parse the capture, allowing you to view device and web info. Note that some values, such as current bandwidth usage and elapsed time, will not be populated when viewing a replay. |
| |
| Q: |
What's the difference between Pixie and a desktop tool like Kismet? |
| A: |
The biggest difference between the tools lies in how they interface with the network. Kismet interacts directly with the wireless adapter and places it in monitor mode, allowing it to hear any packet over the wifi, even if it is not associated with a network. This can be problematic with some hardware, but many of the newer wifi chipsets work great with Kismet.
Pixie, on the other hand, is constrained by Android. Rather than expose the wifi adapter as an 802.11b device, Android actually hides all of that functionality: the wifi connection actually appears to system processes as a plain old Ethernet device. This means that we don't get monitor mode and we also don't get to see wifi-specific data, such as beacons and associate/disassociate packets.
On the plus side, Pixie runs in your pocket and that's harder to do with Kismet, unless you have very large pockets. Pixie is also significantly easier to set up for folks without Linux experience. |
| |
| Q: |
What is that weird phone MAC that starts with 02? |
| A: |
Good question. ;) For some reason, Android sends itself a packet over the network interface now and again with a source MAC address of "02:<your phone MAC>". The contents of this packet appear to be an HPNA (Home Phoneline Networking Alliance) control frame, ethertype 0x886c. Pull it into Wireshark and look at it for yourself.
We have no idea what this is for. |
| |
| Q: |
Will there ever be an iPhone version of Pixie? |
| A: |
It's not terribly likely. There is absolutely no way Apple would approve it, meaning the application would only work on jailbroken phones and not be available for purchase from the App Store. Also, there's no telling if the network adapter in the iPhone will even go into promiscuous mode, much less actually hear other devices on the network. And that's if we manage to somehow run an app as root.
If you still really want an iPhone version, drop us a line at . If we get enough interest, we'll take a stab at it. |
| |
| Q: |
A friend stole my password off my network with Pixie. What should I do? |
| A: |
Secure your network with WPA2. Change password. Replace friend. |
| |
| Q: |
Is it legal for me to record network data? |
| A: |
We don't know. You should check with your local regulations before recording data on a network that is not your own. |
| |