Skip to content
Domain Specific Language

Let's dump some tcp - Android packet sniffing

  1. Background
  2. Goals
  3. Prerequisites
  4. Build tcpdump
  5. Install tcpdump
  6. Run tcpdump
  7. Analyze the dump
  8. Epilogue

Let's hold hands while we take a dump together!

Background

If you don't want to download any old tcpdump binary file and put it all up in your rooted Android phone, because reasons, this guide might be for you.

Goals

As a bonus, I want to explain how to do this relatively platform independently.

Prerequisites

As I said, platform independently. Here we go!

Unfortunately, platform independent means installing a lot of software. If you are already on a relatively new version of Ubuntu, you can skip to "Ubuntu packages" below.

Ubuntu Xenial in Vagrant

Start by installing Vagrant, and then dump this into a file called Vagrantfile somewhere on your computer:

Vagrant.configure(2) do |config|
 config.vm.box = "ubuntu/xenial64"
 # Edit this line so that it fits your system configuration
 config.vm.synced_folder "/My/host/computer/folder/Downloads", "/downloads" 
end

Now open your platform dependent terminal (cmd? xterm? iterm?) and run:

cd Whatever/Directory/you/chose
vagrant up

Wait for a longish while, until vagrant gets its affairs into order then run:

vagrant ssh

When we have entered the ubuntu shell we can prepare the ubuntu packages.

Ubuntu packages

These packages need to be installed before we continue

sudo apt-get install gcc-arm-linux-gnueabi
sudo apt-get install make
sudo apt-get install flex
sudo apt-get install byacc

Build tcpdump

Let's continue in our ubuntu shell

Copy this into an executable script file or just run it line by line:

export TCPDUMP=4.7.4
export LIBPCAP=1.7.4

wget http://www.tcpdump.org/release/tcpdump-$TCPDUMP.tar.gz
wget http://www.tcpdump.org/release/libpcap-$LIBPCAP.tar.gz

tar zxvf tcpdump-$TCPDUMP.tar.gz
tar zxvf libpcap-$LIBPCAP.tar.gz
export CC=arm-linux-gnueabi-gcc
cd libpcap-$LIBPCAP
./configure --host=arm-linux --with-pcap=linux
make
cd ..

cd tcpdump-$TCPDUMP
export ac_cv_linux_vers=2
export CFLAGS=-static
export CPPFLAGS=-static
export LDFLAGS=-static

./configure --host=arm-linux --disable-ipv6
make

arm-linux-gnueabi-strip tcpdump

Source: androidtcpdump.com.

After you have successfully built tcpdump, copy it to the shared directory we set up in the Vagrantfile, or if you are on your native box copy it to any directory you like:

cp tcpdump-4.7.4/tcpdump /downloads

On your native machine, go to the directory that "/downloads" in Vagrant (or your local machine) points to.

Install tcpdump

Unfortunately, this is the point where you need something that I don't have time to explain: A rooted Android phone. Without root you can't push tcpdump, and consequently you can't run tcpdump.

First let's find a directory to push to, sdcard1 is available on some modern Android platforms.

adb shell ls
[... long list of files ...]
sdcard
sdcard1
[... probably more files ...]

As I said, I want sdcard1.

adb root
adb remount
adb push tcpdump /sdcard1/tcpdump

Run tcpdump

Let's drop into adb shell

adb shell
cd sdcard1

From here we can run tcpdump

tcpdump -i any -p -s 0 -w /sdcard1/capture.pcap
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

This will block as long as you want to do packet capture.

Press Ctrl+C to stop listening. Pressing Ctrl+C might make tcpdump miss some buffered packets, so listen a while longer than you need to (do some web surfing then press Ctrl+C).

(Ctrl+C pressed)
28220 packets captured
35119 packets received by filter
6899 packets dropped by kernel

Here's some info about the tcpdump options:

Drop out of the adb shell

exit

Pull the file to your local machine

adb pull /sdcard1/capture.pcap

Analyze the dump

Download Wireshark and install it.

Open the file capture.pcap in Wireshark. Unfortunately, how to analyze it in Wireshark is beyond the scope of this guide, but I'll give you some hints.

Wireshark basics

Load the file using File -> Open.

In the horizontal search bar / text field that spans the entire width of the application window, you can write queries for filtering the dump.

A simple filter query is simply the name of the protocol you want to analyze, e.g. http.

After listing all http packets, you can get more information for a specific row / call by right clicking that row and selecting e.g. Follow > HTTP Stream.

After following a stream, go back to the filter list by writing http in the search field again.

Epilogue

All goals (kind of) achieved!