Let's dump some tcp - Android packet sniffing
Let's hold hands while we take a dump together!
If you don't want to download any old tcpdump binary file and put it all up in your rooted Android phone, because reasons, this guide might be for you.
- Build tcpdump
- Install tcpdump
- Run tcpdump
- Analyze the dump
As a bonus, I want to explain how to do this relatively platform independently.
As I said, platform independently. Here we go!
Unfortunately, platform independent means installing a lot of software. If you are already on a relatively new version of Ubuntu, you can skip to "Ubuntu packages" below.
Ubuntu Xenial in Vagrant
Start by installing Vagrant, and then dump this into a file called Vagrantfile somewhere on your computer:
Vagrant.configure(2) do |config| config.vm.box = "ubuntu/xenial64" # Edit this line so that it fits your system configuration config.vm.synced_folder "/My/host/computer/folder/Downloads", "/downloads" end
Now open your platform dependent terminal (cmd? xterm? iterm?) and run:
cd Whatever/Directory/you/chose vagrant up
Wait for a longish while, until vagrant gets its affairs into order then run:
When we have entered the ubuntu shell we can prepare the ubuntu packages.
These packages need to be installed before we continue
sudo apt-get install gcc-arm-linux-gnueabi sudo apt-get install make sudo apt-get install flex sudo apt-get install byacc
Let's continue in our ubuntu shell
Copy this into an executable script file or just run it line by line:
export TCPDUMP=4.7.4 export LIBPCAP=1.7.4 wget http://www.tcpdump.org/release/tcpdump-$TCPDUMP.tar.gz wget http://www.tcpdump.org/release/libpcap-$LIBPCAP.tar.gz tar zxvf tcpdump-$TCPDUMP.tar.gz tar zxvf libpcap-$LIBPCAP.tar.gz export CC=arm-linux-gnueabi-gcc cd libpcap-$LIBPCAP ./configure --host=arm-linux --with-pcap=linux make cd .. cd tcpdump-$TCPDUMP export ac_cv_linux_vers=2 export CFLAGS=-static export CPPFLAGS=-static export LDFLAGS=-static ./configure --host=arm-linux --disable-ipv6 make arm-linux-gnueabi-strip tcpdump
After you have successfully built tcpdump, copy it to the shared directory we set up in the Vagrantfile, or if you are on your native box copy it to any directory you like:
cp tcpdump-4.7.4/tcpdump /downloads
On your native machine, go to the directory that "/downloads" in Vagrant (or your local machine) points to.
Unfortunately, this is the point where you need something that I don't have time to explain: A rooted Android phone. Without root you can't push tcpdump, and consequently you can't run tcpdump.
First let's find a directory to push to, sdcard1 is available on some modern Android platforms.
adb shell ls [... long list of files ...] sdcard sdcard1 [... probably more files ...]
As I said, I want
adb root adb remount adb push tcpdump /sdcard1/tcpdump
Let's drop into adb shell
adb shell cd sdcard1
From here we can run tcpdump
tcpdump -i any -p -s 0 -w /sdcard1/capture.pcap tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
This will block as long as you want to do packet capture.
Press Ctrl+C to stop listening. Pressing Ctrl+C might make tcpdump miss some buffered packets, so listen a while longer than you need to (do some web surfing then press Ctrl+C).
(Ctrl+C pressed) 28220 packets captured 35119 packets received by filter 6899 packets dropped by kernel
Here's some info about the tcpdump options:
-i any: listen on any network interface
-p: disable promiscuous mode (doesn't work anyway)
-s 0: capture the entire packet
-w: write packets to a file (rather than printing to stdout)
Drop out of the adb shell
Pull the file to your local machine
adb pull /sdcard1/capture.pcap
Analyze the dump
Download Wireshark and install it.
Open the file
capture.pcap in Wireshark. Unfortunately, how to analyze it in Wireshark
is beyond the scope of this guide, but I'll give you some hints.
Load the file using File -> Open.
In the horizontal search bar / text field that spans the entire width of the application window, you can write queries for filtering the dump.
A simple filter query is simply the name of the protocol you want to analyze,
After listing all
http packets, you can get more information for a specific
row / call by right clicking that row and selecting e.g. Follow > HTTP Stream.
After following a stream, go back to the filter list by writing
the search field again.
All goals (kind of) achieved!