Let's dump some tcp - Android packet sniffing
Let's hold hands while we take a dump together!
Background
If you don't want to download any old tcpdump binary file and put it all up in your rooted Android phone, because reasons, this guide might be for you.
Goals
- Build tcpdump
- Install tcpdump
- Run tcpdump
- Analyze the dump
As a bonus, I want to explain how to do this relatively platform independently.
Prerequisites
As I said, platform independently. Here we go!
Unfortunately, platform independent means installing a lot of software. If you are already on a relatively new version of Ubuntu, you can skip to "Ubuntu packages" below.
Ubuntu Xenial in Vagrant
Start by installing Vagrant, and then dump this into a file called Vagrantfile somewhere on your computer:
do ||
# Edit this line so that it fits your system configuration
)
Now open your platform dependent terminal (cmd? xterm? iterm?) and run:
Wait for a longish while, until vagrant gets its affairs into order then run:
When we have entered the ubuntu shell we can prepare the ubuntu packages.
Ubuntu packages
These packages need to be installed before we continue
Build tcpdump
Let's continue in our ubuntu shell
Copy this into an executable script file or just run it line by line:
Source: androidtcpdump.com.
After you have successfully built tcpdump, copy it to the shared directory we set up in the Vagrantfile, or if you are on your native box copy it to any directory you like:
On your native machine, go to the directory that "/downloads" in Vagrant (or your local machine) points to.
Install tcpdump
Unfortunately, this is the point where you need something that I don't have time to explain: A rooted Android phone. Without root you can't push tcpdump, and consequently you can't run tcpdump.
First let's find a directory to push to, sdcard1 is available on some modern Android platforms.
As I said, I want sdcard1
.
Run tcpdump
Let's drop into adb shell
From here we can run tcpdump
)
This will block as long as you want to do packet capture.
Press Ctrl+C to stop listening. Pressing Ctrl+C might make tcpdump miss some buffered packets, so listen a while longer than you need to (do some web surfing then press Ctrl+C).
()
Here's some info about the tcpdump options:
-i any
: listen on any network interface-p
: disable promiscuous mode (doesn't work anyway)-s 0
: capture the entire packet-w
: write packets to a file (rather than printing to stdout)
Drop out of the adb shell
Pull the file to your local machine
Analyze the dump
Download Wireshark and install it.
Open the file capture.pcap
in Wireshark. Unfortunately, how to analyze it in Wireshark
is beyond the scope of this guide, but I'll give you some hints.
Wireshark basics
Load the file using File -> Open.
In the horizontal search bar / text field that spans the entire width of the application window, you can write queries for filtering the dump.
A simple filter query is simply the name of the protocol you want to analyze,
e.g. http
.
After listing all http
packets, you can get more information for a specific
row / call by right clicking that row and selecting e.g. Follow > HTTP Stream.
After following a stream, go back to the filter list by writing http
in
the search field again.
Epilogue
All goals (kind of) achieved!