Video Screencast Help
Cyber Readiness and Response

Monitoring Android Network Traffic Part I: Installing The Toolchain

Created: 10 Feb 2014 • Updated: 10 Feb 2014
vince_kornacki's picture
+5 5 Votes
Login to vote

TCPDUMP is extremely useful for monitoring network traffic when debugging applications and performing penetration tests. Unfortunately Android mobile devices do not include the TCPDUMP program. However, do not despair. This blog series will provide step-by-step instructions for cross compiling, installing, and running TCPDUMP on Android mobile devices. As Michael Buffer would say right before Hulk Hogan brings the smack down, "Let’s get ready to rumblllllllllllle!"

First things first. You'll need to root your Android device in order to run TCPDUMP. For the purposes of this blog series we’ll use CyanogenMod 11 (based on Android 4.4 KitKat) on our mobile device and Debian Jessie (the current Testing release) on our workstation. CyanogenMod is mobile device firmware based on the open-source Android operating system that includes features not found in official Android vendor distributions. Debian is one of the most popular Linux distributions, and is also the basis for other Linux distributions such as Ubuntu. As an interesting note, you can trace the Debian bloodlines through the epic GNU/Linux Distribution Timeline. In any case, if your configuration is different these concepts will still apply but the exact implementation details may differ slightly.

So what is cross compiling anyway? Well, software is compiled for a specific hardware platform and software compiled for one hardware platform is not compatible with other hardware platforms. For example, let’s check out the hardware platform on our Debian Workstation:

root@debian $ uname -m
x86_64

As you can see, our Debian Workstation is powered by a 64-bit Intel processor. And the TCPDUMP program is specific to the 64-bit Intel processor:

root@debian $ file /usr/sbin/tcpdump
/usr/sbin/tcpdump: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=af85176ee089c2a85c53c34c20657e19c68d8f38, stripped

On the other hand, let’s check out the hardware platform on our CyanogenMod Mobile Device:

root@cyanogenmod:/ # uname -m
armv7l

Like most mobile devices, this bad boy is powered by an ARM processor. Developed by the British Company ARM Holdings, ARM processors are based on the Reduced Instruction Set Computing (RISC) architecture in order to minimize power consumption and temperature. But if you try running a 64-bit Intel executable on an ARM processor bad things happen:

root@cyanogenmod:/data # ./tcpdump
/system/bin/sh: ./tcpdump: not executable: magic 7F45

Magic 7F45? PC Load Letter? What the @!#?@! does that mean? (Apologies to both Mike Judge and Q*bert.) In Linux a file’s magic number is the first few bytes of content that determine the file type. Magic number 7F45 specifies the Executable and Linkable Format (ELF) file type, a format that is not executable on ARM processors. So what do we know? We can’t just compile TCPDUMP on our Debian Workstation and expect it to magically work on our CyanogenMod Mobile Device. Instead, we’ll need to cross compile TCPDUMP. Cross compiling is simply compiling software for a platform different than the platform on which the compiler is running. A term you will often hear in conjunction with cross compiling is “toolchain”. A toolchain is simply a chain of tools used to create software. In this case we'll leverage a toolchain that allows us to compile software for ARM processors from our Debian Workstation. Toolchains typically include compilers (such as GCC), linkers (such as LD), and libraries (such as LIBC). A dizzying array of toolchains is available, all with varying levels of functionality, documentation, and support. Many toolchains are difficult to configure and use, and documentation may be sparse or non-existent. I tinkered with several toolchains before finally finding one that works smoothly.

The Emdebian project aims to make Debian an attractive choice for embedded devices, and thus includes toolchains that can be used to cross compile software for ARM processors. Let’s install Emdebian. First we'll need to install the GPG keys for the Emdebian software repository:

root@debian $ apt-get install emdebian-archive-keyring
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
emdebian-archive-keyring
[OUTPUT TRUNCATED]

Now is when things get interesting. Even though we’re running Debian Jessie, the current testing distribution, the Emdebian toolchain works best on Squeeze, the old but still supported Debian 6.0. So we’ll also need to install older Squeeze dependencies required by the Emdebian toolchain. Consequently we’ll need to add these three lines to the /etc/apt/sources.list file on our Debian Workstation:

deb http://ftp.us.debian.org/debian/ squeeze main
deb http://security.debian.org/ squeeze/updates main
deb http://www.emdebian.org/debian/ squeeze main

The first line enables the Debian Squeeze software repository in order to satisfy Emdebian toolchain dependencies, the second line enables the Debian Squeeze security updates repository, and the third line enables the Emdebian software repository. Next let's synchronize the Debian package index files:

root@debian $ apt-get update
Hit http://security.debian.org jessie/updates InRelease
Get:1 http://security.debian.org squeeze/updates InRelease [87.8 kB]
Hit http://ftp.us.debian.org jessie InRelease
Ign http://ftp.us.debian.org squeeze InRelease
[OUTPUT TRUNCATED]

Several software packages need to be installed, but luckily they’re all dependencies for the ARM GNU C++ compiler, so one simple command will do the trick:

root@debian $ apt-get install g++-4.4-arm-linux-gnueabi
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
binutils-arm-linux-gnueabi cpp-4.4-arm-linux-gnueabi gcc-4.4-arm-linux-gnueabi gcc-4.4-arm-linux-gnueabi-base gcc-4.4-base-armel-cross libc-bin-armel-cross libc-dev-bin-armel-cross libc6-armel-cross libc6-dev-armel-cross libgcc1-armel-cross libgmp3c2 libgomp1-armel-cross libstdc++6-4.4-dev-armel-cross libstdc++6-armel-cross linux-libc-dev-armel-cross
Suggested packages:
gcc-4.4-locales gcc-4.4-doc libstdc++6-4.4-dbg-armel-cross libmudflap0-4.4-dev-armel-cross libgcc1-dbg-armel-cross libgomp1-dbg-armel-cross libmudflap0-dbg-armel-cross libcloog-ppl0 libppl-c2 libppl7
The following NEW packages will be installed:
binutils-arm-linux-gnueabi cpp-4.4-arm-linux-gnueabi g++-4.4-arm-linux-gnueabi gcc-4.4-arm-linux-gnueabi gcc-4.4-arm-linux-gnueabi-base gcc-4.4-base-armel-cross libc-bin-armel-cross libc-dev-bin-armel-cross libc6-armel-cross libc6-dev-armel-cross libgcc1-armel-cross libgmp3c2 libgomp1-armel-cross libstdc++6-4.4-dev-armel-cross libstdc++6-armel-cross linux-libc-dev-armel-cross
[OUTPUT TRUNCATED]

Let's cross our fingers and check out the newly installed cross compiler:

root@debian $ arm-linux-gnueabi-gcc -v
Using built-in specs.
Target: arm-linux-gnueabi
Configured with: ../src/configure -v --with-pkgversion='Debian 4.4.5-8' --with-bugurl=file:///usr/share/doc/gcc-4.4/README.Bugs --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.4 --enable-shared --enable-multiarch --enable-linker-build-id --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/arm-linux-gnueabi/include/c++/4.4.5 --libdir=/usr/lib --enable-nls --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --disable-sjlj-exceptions --enable-checking=release --program-prefix=arm-linux-gnueabi- --includedir=/usr/arm-linux-gnueabi/include --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=arm-linux-gnueabi --with-headers=/usr/arm-linux-gnueabi/include --with-libs=/usr/arm-linux-gnueabi/lib
Thread model: posix
gcc version 4.4.5 (Debian 4.4.5-8)

Stop! Hammer Time! Our mobile development toolchain is now installed and ready to rock! In our next installment we'll utilize our newly installed mobile development toolchain in order to cross compile LIBPCAP (the required packet capture library) and TCPDUMP.

Blog Entry Filed Under: