A Case study on the Monitor Mode Passive Capturing of WLAN Packets in an On-The-Move Setup

Monitor mode packet capturing of WLAN is used to derive Access points and devices in the range for localization or occupancy purposes. The general modality of capturing and analysis in almost all available studies is to capture packets by being static (STT) at a location and indoors. In STT mode, the beacon and probe packets extract insights about the localization of devices and occupancy estimation. We propose scanning a predetermined path in an urban locality on the move (OTM) using monitor mode WLAN packet capturing. We also propose that in OTM, devices (STA) and Access Points (APs) can be traced from other packets like CTS, ATS, and ACKs apart from beacons and frames. We performed a case study of monitor mode packet capturing in an on-the-move and outdoor setup. The primary focus of the study was to validate the OTM modality and the methodology of detecting devices and APs. We studied all the packet types that were captured, including Beacons and Probes. The sensed devices and APs counts using probe and beacon packets were compared with the sensed devices, and APs counts using the new methodology. We found that considering other packets helps detect a more significant number of devices and APs. We also found that channel hoping strategy plays an essential role in maximizing the sensed items. The overall exercise revealed that the air is full of WLAN/Wi-Fi traffic, and using OTM can assimilate lots of valuable data and generate relevant information for various purposes. Essentially, on-the-move outdoor capture setups can be used to produce Wi-Fi access points and user devices related heat maps of the scanned locations. This can be useful in many governance and related matters. Briefly, we put forward an application architecture for the same.


I. INTRODUCTION
Connectivity is widespread, and almost everyone is connected via mobile devices like smartphones, tablets, etc. The possession of a smartphone can now be seen as a 1 to many mapping between people and devices. We can say in simple terms that almost every person holds at least one smart device. Almost every smart device is connected to the internet via one or other means. One such means is Wi-Fi. Majorly, Wi-Fi devices are categorized into an access point (AP) or router and Wi-Fi adapter in devices(STA). Mobile devices can be clients (STA) or even serve extended Wi-Fi (AP) using hotspots. The speed and spectral efficiency of Wi-Fi has been increasing since its formation. The access point routers can form interconnected extensions covering an area up to several kilometers. Wi-Fi services for WLAN/internet access are used in private homes, businesses, and public spaces. Wi-Fi hotspots or Access Points (APs) can be found everywhere in an urban locality and are generally identified by their unique service names called SSID. Looking at the SSIDs, one can easily identify these services as an Organization, individual, Community, enthusiasts, authorities, and businesses, such as airports, hotels, and restaurants.
With the advent of smartphones with strong communication capabilities and many embedded sensors, they can VOLUME 4, 2016 provide critical information about people's behaviour and mobility. Ubiquitous Wi-Fi also enables us to extract peoplerelated information like their location, movement patterns, and many other activities by capturing and analyzing connectivity between mobile clients (people) and access points that can be spread throughout vast locality areas. Sniffing systems can sense intermediary data packets and can store the packets for later analysis. Wireless sniffers are also used to sense Wi-Fi packets and analyze wireless traffic [1]. The sniffed packets can help gain several insights like interactions happening between people, troubleshooting hints to network/system administrators to manage networks, and giving many insights into the type of devices and count of people taking part in communications [2]. The capability to monitor, intercept, and decode wireless data in transit makes sniffers useful for various needs. The sniffers capture both incoming and outgoing data packets in promiscuous mode, which is not needed sometimes. In monitor mode, the adapter set in monitor mode senses and collects all data that is flowing in the air.
We suggest here that, capturing WLAN packets passively can be done in two modes. They can be: a) Fixing the sniffer at a particular location b) Scan a location by moving the sniffer device at a particular speed. We will call the former Static (STT) and later as on-themove(OTM) captures. The sniffed packets in STT mode are widely used for sensing localization and occupancy status of APs and STAs. The main packet types that are used are beacon and probe frames. The Sender addresses in beacons are considered APs, and corresponding unique SSIDs are taken as a named AP. Also, in the case of Devices or STAs, the probe request frames are considered. The sender address in probe request frames is segregated as unique devices.
The paper presents two propositions, they are: a) The outdoor and OTM passive scans of an urban stretch can also render substantial packets for information gathering. b) The extraction of unique devices and access points can be enhanced by considering other packets apart from Probes and Beacons. The basis for a) is that in a smart city and e-governance era several means of data capturing and processing must be explored. Also, in the advent of randomized MACs, identifying unique devices and subsequently predicting occupancy is hindered when adopting STT approach. However, if OTM approach is applied the factor of randomized MAC is suppressed since on the move capturing will capture a Randomized MAC at most once in a scan. The later sections in the paper will present a case study of the Wi-Fi/WLAN packet sniffing in an on-the-move setup. The Wi-Fi sensor adapter and the capturing system will be moving at a particular speed while capturing. We will perform capturing in these two modes (STT and OTM) and present statistics for further evaluation. As in b) we also propose in this paper that while Beacons and probe request frames help sense unique devices and APs, several other types of packets contain APs and STAs as either senders and receivers. Considering these packets as well is necessary for sensing more numbers of APs and devices as the scan durations are of short time and there's a high chance of missing many packets of beacons and probes.
As additional content in this paper, we will discuss one of the significant aspects of OTM capturing. That is, APs and Devices related heat maps. Such heat maps of a locality can provide lots of insights for governance-related matters. We present an architecture of one possible use of OTM scanning. Though, WLAN sniffing can be done for many unethical purposes. Our purpose is to focus on ethical aspects and assume that no unethical tips are drawn out of this exercise.

A. BACKGROUND
The initial wireless 'association' [3] in all means is purely plaintext. Figures 1 and 2 Show basic association frames and highlight those which can be helpful. The initial procedure involves 802.11 authentications and the association process. In this, the client device's Wi-Fi adapter scans (via probe request frames) for available frequencies in search of SSIDs to join. In IEEE 802.11 wireless local area networking standards (including Wi-Fi), a service set is a group of wireless network devices which share a service set identifier (SSID) [4]. The basic service set is defined by a primary service set identifier (BSSID) shared by all devices within it. Access points in proximity reply with probe response frames that contain the SSID and BSSID, which corresponds to the access point's MAC address.
Probes can be of two types, directed and broadcast; directed probes are pointed towards specific SSID, whereas the broadcast probes ping all the nearby APs to send a probe response [4]. In the former case, additional information is sniffed about the client and the client's known AP. This information can be of forensic importance, which can be explored further. The triggered response from all nearby APs provide an opportunity for the sniffers to detect and record all nearby APs and their SSIDs. This is of utmost importance in estimating occupancy. Both probe request and probe response frames contain vital MAC addresses, which will help detect different devices [5] near the sniffer and subsequently be analyzed to measure the occupancy status and the mobility traces of people holding the client devices. Another item that can be sensed is the beacons. The beacons are signal frames sent by APs at regular intervals to notify the clients of their presence and possible connectivity. The beacon frames also hold relevant information like SSID and BSSID of the AP. Collecting the beacons and analyzing them can give almost a clear picture of available APs at a given locality [4]. It is also an essential means to know whether many APs at a   [4] given locality work in tandem to support a particular SSID and BSSID. Analysis of beacons can give a range and extent of a particular SSID. Almost all packets, including beacon and probe frames, contain vital radio information known as RSSI. Wireless communications received signal strength indicator (RSSI) indicates power present in a received radio signal [6]. The RSSI value is represented in a negative form (e.g., -76). It is assumed that the greater the RSSI value, the stronger the signal. Thus, nearer to 0, the RSS is deemed to be perfect. However, devices can capture packets with strengths as low as 90. RSSI is used as an indicator for localization purposes in many research. It is available in almost all wireless transmitters, and receivers and readings can be obtained without additional hardware requirements [7]. Many packet capture and analysis tools are available. Among them, one is Wireshark [8]. Packets and transmissions captured in Wireshark can be handy for analysis [9] as they contain every bit of information transmitted in the form of probes, beacons, broadcasts, and other associations. Packets of data transfers to and from the client to APs can be traced for many forensic activities. Reaching or finding appropriate and relevant packets can be done by looking at WLAN Traffic and conversations in the statistical menu of Wireshark [10]. The WLAN traffic puts the packets in the context of WLANs setups in a particular zone. Conversations put into perspective all packets captured because it gives the source and destinations into communications. The I/O graphs in Wireshark [10] also give a good sense of activities at zones and can be correlated with conversations.

B. RELATED LITERATURE
Literature using Wi-Fi sniffing as one of the tools for various objectives was studied. The mechanism for Wi-Fi monitor mode capturing for exact OTM type modalities was not found in any literature. Table 1 gives a structured view of several related works using passive monitoring one way or another. Table 1 presents several pieces of literature in terms of their adopted Capture Modality, their study location (whether Indoor or Outdoor), and their Investigating purposes and subjects in packet captures. The General captured modality used in most of the work was static multiple installations indoors as well as outdoors. Mostly the investigating subject in all work was probe requests as they majorly aimed to track occupancy in some way or other. In few cases, the subject was refined to the RSSI for localization purposes. Overall, the methodology of 'scanning an urban location', that is, OTM outdoors was not being tried and tested in works of literature so far. However, the works of literature gave a good VOLUME 4, 2016 insight into the usefulness of the proposed methodology. For example, the authors in [11] adopted a methodology to get an idea of the duration of stay in a coach terminal waiting room by detecting Wi-Fi probe requests from passengers' Wi-Fi devices. The method employs a passive monitoring tool with certain add-on features specifically for probe requests packet analysis. For a different objective, a similar methodology is adopted by authors in [12]. The purpose was to count public transport boarders in the vehicle on transit. [13] is another work in this direction that used a similar methodology to track public transport occupancy. Many works related to crowd mobility detection have used passive monitoring as a tool such as [14] and [15] where authors aimed to achieve real-time monitoring of people flows in public environments either indoors or outdoors, [16] where authors performed Highway traffic flow measurement, [13] is focusing on estimation of public transport occupancy, [9] worked to prepare Digital footprints, etc.
Authors in [17] discuss De-anonymization of large crowds through smartphone Wi-Fi probe requests. Here, they applied analysis of significant probe responses collected over a considerable period at different large gatherings. This was done using the collected dataset by Wigle.net (Wireless Geographic Logging Engine) [18]. WiFiTrace [27] approach exploits Wi-Fi network logs gathered by enterprise Networks for performance and security monitoring and utilizes them for reconstructing device trajectories for contact tracing. In [17,18,19], the Wi-Fi sniffing is carried out by methods not viable for our purpose. However, [17,30,28,10,22] [3,20,21,22,23] uses sniffing tools conducive to use in our purpose (table 1). Authors in [3] use RPi and Pycom LoPy4 development boards with features of an inbuilt WLAN adapter that can be set in monitor mode. Though RPi 3 Model B used in the study doesn't support monitor mode directly but, via Nexmon [24] patches, it can be done quickly. For storage [3]makes use of cheap SD cards. In our case, we can't use SD cards alone as the number of packets captured will be very large, and SD cards may sometimes overflow. This paper only tests the feasibility; hence, the storage model is not discussed here. However, ideas about that are to be explored anyhow. The tests in [3] were done using varied channel hopping strategies, and the results will provide extensive food for thought and help strategize our channel hop strategy. Experiments in [20] use a mobile app (WiFiTracer) that uses the device's Wi-Fi adapters to capture packets. Volunteered captures are then synchronized at a repository hosted on a cloud platform by the data collection module. The approach, though, doesn't use monitor mode adapters and packet analyzers, but have a partial similarity to our study, i.e., the OTM. Essentially all the volunteer WifiTracer hosts are on the move while the app captures packets. Researchers in [21] used Wi-Fi Pineapple(PA) setup to collect probe requests. It deploys 8 PAs to carry out packet capturing, and the data is maintained via a Linux server centrally. Studies in [3,20,21] utilize RSS for sensing crowds and use Wireshark or Tcpdump to capture packets. They all are static (STT) installation base approaches. Research in [22] demonstrates multichannel sniffing by using 20 RPis with external monitor mode adapters. Authors in [23] collected probes via a network of sniffing devices, namely FogSense [25] devices distributed by Cloud4Wi®, Inc. To sense the crowd, it uses range-free algorithms based on RSS. All surveys and similar research on Wi-Fi tracking uses RSS as a means to estimate user positioning. Table 1 presents a listing of the literature survey keeping focus on the aspects of setups and capture modality. The setups include the h/w and s/w used, and the capture modality is all about placing the sensors in the location of study, including the way sensing is carried out. Whether the captures are made being OTM or STT and in Indoor, outdoor, or any other place. Several similar works [3,2,26,21,23,27,22,28,29] and [16], the probes were sensed from static locations. In [20,13,30,15] there is a feel of OTM capturing in an outdoor setup, which gave many insights into modeling our study. It is observed that most of the research [2,26,20,21,23,27,22,13,28,30,29,16,3,15] have utilized off-the-shelf equipment along with Tcpdump [31] or Wireshark [8], while few have used professional and propriety packages for their experiments. Our study also finally decided to use a wireless adapter supporting monitor mode and Wireshark to capture packets.

C. CASE OF OTM
The literature survey leads us to work [15], where a definite suggestion was made regarding feasibility in using sniffing systems to understand mobility in urban areas. The case is, how? Mostly all work of outdoor capturing like in [2,26,20,13,30,29,16] and [3,15] adopted means like static deployments or volunteers with mobile phones. While capturing packets in monitor mode has been studied in many research, the primary modality of capturing almost all was positioning the sniffer device at a static location or using volunteered probe sensing [20] and [15]. The primary ethical objective in doing this can be the localization of devices in the ambit, troubleshooting WLAN issues, and many others. However, in OTM mode or scanning of a locality, WLAN sniffing is hardly discussed anywhere in our knowledge in literature. We bring in the modality where, rather than several volunteers scanning randomly in an area, we can have a single sensor scanning in predetermined paths. We submit that it is hard to build a complete scan of an urban setup. However, if principally prime and significant areas of an urban system can be scanned in a systematic (rather than random) approach, many areas of information exploration can be derived. OTM scans can provide many insights about a locality and render support in crisis management and other aspects of governance like crime control, etc. Therefore, the case in this work is for OTM, and, majorly, we will focus on 2 aspects. a) people or users and b) named Wi-Fi services (Access Points or APs) in every scan. We, at this moment, build a test case for the OTM scans. To compare the STT and OTM scans, we will perform packet capturing in both the modes. We will use off-the-shelve h/w and s/w as in many  Table 2 gives an idea of the essential items captured in monitor mode and the sensed information that can be inferred. In many circumstances, we assume that while scanning in OTM, we may come across conditions that a device probe request frame is not captured. Lots of Probe requests might get missed while OTM. However, other frames types can be captured, which may contain the device address. This prompts us to believe that not only probe requests, probe responses from an AP, and other packets that emanate from an STA can be considered for finding unique devices. In many cases, the captured packets emanating from APs can also contain unique devices present at the locality that didn't get identified in other packets. Table II gives an idea about what needs to be considered while identifying unique devices while in OTM. To identify unique devices, we will consider other packets as well. The methodology will be as follows: i. Transmitter addresses in all packets except beacons, CTS, probe response and ACKs (including Block VOLUME 4, 2016 In most cases, SSIDs in packets other than beacons and Probe responses may not depict local APs. When the SSIDs are not part of beacons or Probe responses, they should not be considered local to the place of capturing. Hence, when we consider getting unique SSIDs, Both, i. Transmitter Addresses in beacons and, ii. Transmitter Addresses in probe responses might be considered.

U niqueSSIDsorAP s = U niqueaddressesin{(i) ∪ (ii)}
That is, AccessP oints(AP s) = BA t ∪ P A t The same principle will be followed in the case of STT also.
We are not performing the tests for performance in this study. Performance of packet captures and channel selections will be studied and compared with existing literature as future work. However, we do present a comparison for two modes of channel selection a) capturing for channels 1 to 13 (being used in most of the world [32]), b) capturing for channels 1 to 11. The case is not to put forward any comparisons as such. The metrics are meant to provide a visualization of the validity of the OTM modality. If OTM scans are done, then, there is a significant chance that we could get lots of data to build relevant information in the tracks of Localization/Tracking/Density, De-Anonymization, Users/Device Profiling as suggested in [2]. We do not conform that our case is really to target De-Anonymization and Users/Device Profiling. Majorly, through this case study, we suggest that the collected information can help build useful localized heat maps that can help in urban planning and management in several aspects.

III. EXPERIMENTAL SETUP, RESULTS AND DISCUSSIONS A. EXPERIMENTAL SETUP
We used a cheap Wireless USB Wi-Fi Adapter employing Ralink RT5370 chipset for 2.5GHz WLANs supporting Monitor mode. The manufacturer claims a 3dBi power antennae, which was installed on the vehicle's glass window (figure 3) used for capturing test data. The Wi-Fi adapter connects in 'managed mode but can be switched to 'monitor mode easily in kali Linux. The Wireshark was used to capture packets, and the collected information was analyzed both in raw form and from generic statistics extracted in it.
The channel hoping strategy was also the simplest among all, where we hopped each channel (ch 1 to ch 13) in equal intervals of 0.1 seconds. The code for the channel hoping was derived from the portal [33]. It is also to be noted that channel hoping can be further refined to gain maximum throughput Both the OTM scan and the STT captures were made through the Wireshark, and the captures were saved for analysis in pcapng file format. Recording of packet captures was done for 15-minute durations in both OTM and STT modes. The STT capture was made at a busy crossroad on the same road for the same 15-minute duration. The capturing was for longer than 15-minute duration. The actual 15-minute test data were extracted from the Wireshark pcapng file discarding packets few minutes from start and end of captures using 'editcap' commands for both OTM and STT captures. We also experimented on the same stretch of road with a channel hopping strategy of 0.1 seconds on channels 1-11. The results of both the setups are presented for the OTM case. The results for channel hoping strategy 1-13 were used for both STT and OTM cases, and results are put forward for further studies. RSSI values Since there was no previous data for the above metrics on the outdoor front for the static case, we recorded data for both cases ourselves for the comparison mentioned in the previous section.
OTM captured around 15% more packets, which may be due to its scan nature. The comparison of captures in both modalities is shown as a bar graph in figure 5.
Both STT, as well as OTM, were able to capture sufficient numbers of packets. The major significant difference was in the number of data packets. The STT captured a much larger number (figure 5 and 6) of data packets than in OTM. This can be due to the static nature of the capturing and also because mostly data packets may appear at only a few Locations while on the moving scan.
In terms of devices (figure 7), the OTM could sense more devices than STT when the device identification was made using the process described in the previous section. Whereas, if only probe request was considered, the number of devices sensed in both cases was almost identical. The approach of identifying devices and APs in the previous section was used considering other relevant packets. Table  3 presents the intermediate counts following the approach. It is evident that, while STT, the number of devices will be lesser than OTM. However, the device density in the case of STT will be much higher as it captures devices at only one location. The randomized MACs in the case of OTM are proportionately higher than that of STT. The randomization frequency in most devices is more than an hour, as mentioned in [34]. Hence we Assume that every Randomized MAC is representing one unique device. Thus, it is not a significant hindrance in building heat maps. As expected, the randomized MACs in STT are a significant part of overall unique devices. In the case of OTM, it's not major; however, quite significant.   In APs in both the captures (figure 8), OTM showed a more significant number of APs identified as expected. This is because the scan covers a larger area and thus senses much more beacons than in STT. Also, the beacons and other packets emanating from APs will be from a more extensive range of APs than in STT.
The Received signal strengths were also almost similar and enough for capturing substantial packets in both OTM and STT. The RSS was almost similar while sensing in OTM and STT. Table 4 gives the average signal strengths in probe requests and beacons in both STT and OTM. The overall packets show a slight variation in average RSSI such that, in STT its little on the higher side as expected. However, minimum and maximum values are similar. Thus, the signal strengths in the case of OTM are quite enough and conducive for capturing sufficient packets.

C. COMPARING CHANNEL HOPPING
We performed OTM using two modes of channel hopping. a) Hopping 0.1s each from channel 1 to channel 11 (ch A). b) Hopping 0.1s each from channel 1 to channel 14 (Ch B). The scans were done for 15 minutes on the same stretch of road on different days. Surprisingly, in Ch A and Ch B, the packets captured were almost identical to Ch B, recording meagerly higher numbers of packets. In Ch A, i.e., OTM1, the total packets captured were 14498, and in the case of Ch B, i.e., OTM2, it was 14795. Beacons, probe responses, and probe requests were little on the higher side in OTM1 (figure 9). Figure 9 gives the collected counts of various packet types in both the captures. Even while spending a reasonable amount of time on channels 12-14, it is found that almost similar captures occurred. The reasons can be a good amount of services are in channels 12 and 13 also in this part of the world. A total of 1335 out of 14795 packets in OTM2 belonged to channels 12,13 and 14. A fact that can't be ignored is the social factors surroundingthe dreadful Covid19 situation in India, as the OTM1 was recorded on 26th of April 2021 and the OTM2 was recorded on May 21st 2021. The Covid19 situation at these two dates was drastically different, and hence the lockdowns and mass movement were also variable on these dates. We, however, do not make any claims in this matter and will leave this for later studies on channel hoping strategies. Looking at the unique devices identified in both scans, again. OTM2 was on the higher side (figure 10). The prime reason might be a little higher number of packets captured in the later case. In the case of identified APs, OTM1 was on a higher side (figure 10). We are not suggesting any particular reason for this. However, if we bring in these two scans' social conditions, we certainly get more clues to ponder upon. This boosts the idea that OTM can be a powerful way to read and study social patterns in a locality. Also, it confirms that each scan of a locality will add valuable unique data in the knowledge bank, and the collected data can be used to

D. HEAT MAPS OF VARIOUS ITEMS OF INTEREST
We propose that, essentially, the OTM scans can yield output in the form of heat maps that can be useful in providing assistance in town planning, policing, disaster management, etc. To demonstrate this, the output packets, Devices, and APs were segregated and counted in terms of the time of captures, and the cells were given colors relative to their frequencies. That is, the intensity of color increases with the relative lowest to highest frequencies in the series. Figure  12 gives a heat map view of the packets, Devices, and APs.
To get a deeper feel of their relation to the subject, we have also given a heat map view of the approximate roadside density (population) on the scale of 0-5 (this is merely based on manual observation). The vehicle's speed at a 1-minute interval was also recorded to give an additional idea of the conformance of the captures. Figure 14 in the next section depicts that this heat map can be synced with the actual map with other information on a dashboard.
The heat maps of APs and Devices are expectedly similar. They both match to a reasonable extent with the roadside density. However, the device population might be very different at few places, which has to be equated with the social factors of the region. The exact maps can be made when the tests are carried out, accompanied by a GPS and the time tallied GPS and Packets, thus leading us to more accurate heat maps of the locality than on locality maps.

IV. OTM BASED MONITORING APPLICATION ARCHITECTURE
Overall, the results show that OTM can also be a mode that can be useful in many senses. The heat map application can be suitable for governance and statistical agencies and thus can be modeled. Figure 13 gives an architectural overview of the application. The GPS and Wi-Fi monitor modules will sense the geolocations and the packets in the air, respectively. The GPS module will use GPS devices or sensors to get the geolocation in high-frequency intervals. The Wi-Fi adapter (monitor mode capable) will sense the Wi-Fi bands and capture packets using Wireshark [8] or any suitable packet capture tool. The sensed data will be synchronized by time and sent to the compilation module in real-time. The compilation module will assimilate the received data with previous data and send the compiled data to the maps module and dashboard for visualized output. It will also send the data to cloud storage using appropriate APIs like JSON etc. Another form of input can be the Manual information about any location. It can be any incident or notes that the user wants to make. These notes can help generate appropriate alerts while scanning prompting for a pause or a small halt for data captures for further probing. The compilation module will also compile this information in sync with time and location.
A generic view of the dashboard can be shown in figure  14. Majorly, the dashboard will show the current position on the map and the collected heat map based on previous records/scans. The dashboard will also be having prompts to input records or notes. Other aspects like graphical visualizations etc., will also be viewed through the dashboard. By  presenting this architecture, we aim to give an application perspective to the study to be taken up further by developers. In general, many application areas can be explored using the OTM modality like Measure of occupancy status, Location tracking of suspicious mobiles, Track of named and public SSIDs like malls, hotels, restaurants, etc. and their extent in a locality on the map, Vulnerability Assessments of public Wi-Fi's in localities, Maintain historical records: Forensics, seized mobile phones and captured location tracking and history relooking, Tracking sudden movements or exodus, Beats/patrolling by building Wi-Fi hotspots, Managing emergency evacuations, Managing lawful closures and lockdowns, Conducting rescue operations, Detect suspicious Wi-Fi traffic, etc.

V. CONCLUSION
The On-the-move modality of passive Wi-Fi packet captures was studied and compared with the static model. Both the OTM and STT modality of outdoor packet capturing in an urban stretch were able to capture sufficient packets of WiFi/WLAN. The OTM was able to capture a much larger count of unique devices and APs as compared to STT. The unique devices and APs conformed to a good extent with the estimated population alongside the urban stretch. The unique devices and APs count have no effect due to MAC randomization in the case of OTM. The study revealed that some circumstantial aspects of the urban population can be sensed and managed by studying and analyzing OTM scans and records. The RSS values in OTM scans were found to be feeble yet enough for the receivers to capture packets. The methodology of OTM can be invariantly called 'scans' and can be very useful in many ways. Regular scans of a locality can refine the heatmaps as well as can give several insights into the people and mass behavior in terms of mobility, density, sudden changes, crime localization, etc. However, if forensic requirements are to be considered then STT can be more useful as it can lead to capturing a lot more data packets than OTM for analysis. With a simple approach of channel hopping and off-the-shelf equipment, we were able to sense a good amount of devices and access points VOLUME 4, 2016 throughout the road in the city of Dehradun, India. We also found that the amount of identified devices and APs is much more if we look deeper into other packets rather than only probe requests and beacons. Channel hoping, or other proven channel selection methodologies can be adopted for better capturing. Two different strategies adopted (OTM and STT) in the study showed little or less significant difference in the overall captures. However, the reason is unclear and needs more exploration and study. Capturing equipment of betterreceiving strengths can be employed to get enhanced counts of packets and thus will significantly increase the number of devices, and APs identified. Using the new methodology to identify unique devices from the captured packets was found to sense a much more number of devices and APs in both OTM and STT modalities. This can help other works to optimize their approach and objectives. In this study we have confined the scope to 2.5 GHz which is mostly used and has a longer range than 5 GHz which can be sensed passively on the move. However, as a future work 5 GHz channels and WiMax can be brought under the scope. The study also includes building a time-based heat map of packets, devices, and APs. The results were promising and validate the usefulness of the OTM passive capturing of Wi-Fi packets. Lastly, an application architecture for a proper OTM-based scanning system is put forward for further exploration. The whole intention of the work is to bring readers/researchers little attention to this possibility. This approach can bring in many leads towards rendering support in smart city applications, disaster management, emergency evacuations, etc.