Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Monitoring Android Network Traffic Part II: Cross Compiling TCPDUMP

Created: 10 Feb 2014 • Updated: 08 Sep 2014 • 3 comments
Vince Kornacki's picture
+5 5 Votes
Login to vote

In the previous installment we installed our mobile development toolchain. Let's keep the party rockin' and download the latest versions of LIBPCAP and TCPDUMP. LIBPCAP is the packet capture library required by TCPDUMP. First let's unpack LIBPCAP and move into the newly created LIBPCAP directory:

root@debian $ tar zxvf libpcap-1.6.1.tar.gz
libpcap-1.6.1/
libpcap-1.6.1/grammar.y
libpcap-1.6.1/pcap_setnonblock.3pcap
libpcap-1.6.1/fad-glifc.c
[OUTPUT TRUNCATED]

root@debian $ cd libpcap-1.6.1

Now it’s time to make the magic happen! Time to cross compile TCPDUMP! I know that’s not as exciting as pulling a rabbit out of hat or sawing a lovely assistant in half, but you can only do so much in a blog post. First we'll need to set the "CC" environment variable to specify the ARM C compiler:

root@debian $ export CC=arm-linux-gnueabi-gcc

Note this environment variable syntax is specific to Bash and other Bourne shell derivatives. Next let's configure LIBPCAP:

root@debian $ ./configure --host=arm-linux --with-pcap=linux
checking build system type... x86_64-unknown-linux-gnu
checking host system type... arm-unknown-linux-gnu
checking target system type... arm-unknown-linux-gnu
checking for arm-linux-gcc... arm-linux-gnueabi-gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... yes
[OUTPUT TRUNCATED]

Note that the configure script successfully located the "arm-linux-gnueabi-gcc" compiler through the "CC" environment variable, and knows that we're cross compiling because of the "--host=arm-linux" command line option. Now let's make LIBPCAP:

root@debian $ make
arm-linux-gnueabi-gcc -fpic -I.  -DHAVE_CONFIG_H  -D_U_="__attribute__((unused))" -g -O2 -c ./pcap-linux.c
arm-linux-gnueabi-gcc -fpic -I.  -DHAVE_CONFIG_H  -D_U_="__attribute__((unused))" -g -O2 -c ./pcap-usb-linux.c
arm-linux-gnueabi-gcc -fpic -I.  -DHAVE_CONFIG_H  -D_U_="__attribute__((unused))" -g -O2 -c ./pcap-can-linux.c
arm-linux-gnueabi-gcc -fpic -I.  -DHAVE_CONFIG_H  -D_U_="__attribute__((unused))" -g -O2 -c ./fad-getad.c
[OUTPUT TRUNCATED]

Next let's exit the LIBPCAP directory, unpack TCPDUMP, and move into the newly created TCPDUMP directory:

root@debian $ cd ..

root@debian $ tar zxvf tcpdump-4.6.1.tar.gz
tcpdump-4.6.1/
tcpdump-4.6.1/nfsfh.h
tcpdump-4.6.1/llc.h
tcpdump-4.6.1/print-lwres.c
[OUTPUT TRUNCATED]

root@debian $ cd tcpdump-4.6.1

To compile TCPDUMP additional environment variables need to be set. The "ac_cv_linux_vers" variable informs TCPDUMP of the kernel major version number. The following commands list the kernel version and set the "ac_cv_linux_vers" environment variable to the kernel major version number:

root@debian $ uname -v
#1 SMP Debian 3.14.15-2 (2014-08-09)

root@debian $ export ac_cv_linux_vers=3

Because shared libraries will not be installed on our CyanogenMod Mobile Device we'll need to set the "CFLAGS", "CPPFLAGS", and "LDFLAGS" environment variables to specify that TCPDUMP should be statically linked:

root@debian $ export CFLAGS=-static

root@debian $ export CPPFLAGS=-static

root@debian $ export LDFLAGS=-static

Note that only the "CFLAGS" environment variable is explicitly required in order to statically link TCPDUMP, but setting all three environment variables is a good practice. Now let's configure TCPDUMP:

root@debian $ ./configure --host=arm-linux --disable-ipv6
checking build system type... x86_64-unknown-linux-gnu
checking host system type... arm-unknown-linux-gnu
checking for arm-linux-gcc... arm-linux-gnueabi-gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... yes
[OUTPUT TRUNCATED]

Once again note that the configure script successfully located the "arm-linux-gnueabi-gcc" compiler through the "CC" environment variable, and knows that we are cross compiling because of the "--host=arm-linux" command line option. In addition, note that IPv6 is disabled because of the "--disable-ipv6" command line option. Now let's make TCPDUMP:

root@debian $ make
arm-linux-gnueabi-gcc -ffloat-store -DHAVE_CONFIG_H  -I./missing  -D_U_="__attribute__((unused))" -I. -I./../libpcap-1.6.1  -I./missing -g -O2 -c ./setsignal.c
arm-linux-gnueabi-gcc -ffloat-store -DHAVE_CONFIG_H  -I./missing  -D_U_="__attribute__((unused))" -I. -I./../libpcap-1.6.1  -I./missing -g -O2 -c ./tcpdump.c
[OUTPUT TRUNCATED]

That's it! Thar she blows:

root@debian $ file tcpdump
tcpdump: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.18, BuildID[sha1]=5a7f6e82ddc0c7530856dd8f5684ccea0dbe9d12, not stripped

Finally let's decrease the file size by more than 40% by stripping the symbols:

root@debian $ ls -lh tcpdump
-rwx------ 1 root root 2.8M Aug 18 20:49 tcpdump

root@debian $ arm-linux-gnueabi-strip tcpdump

root@debian $ ls -lh tcpdump
-rwx------ 1 root root 1.5M Aug 18 20:50 tcpdump

Phew! That was intense, but it was worth it as we successfully cross compiled LIBPCAP and TCPDUMP for ARM processors!  In our next installment we'll install and run TCPDUMP on our CyanogenMod Mobile Device.

Blog Entry Filed Under:

Comments 3 CommentsJump to latest comment

paidcritic's picture

Nice blog.  I have gotten to the end of this but get a dynamically linked version of tcpdump (4.6.2, libpcap 1.6.2) - errors are "in statically linked applications requires at runtime the shared libraries from glibc version used for linking"  Seems I am missing something from the emdebian toolchain? 

I have Debian Jessy in a virtualbox VM that I built for this project.  printenv shows all the correct environment variables.

I will try again with tcpdump-4.6.1/libpcap-1.6.1 but am not too hopeful as this seems to be more of a setup problem. 

Any suggestions would be appreciated.

0
Login to vote
Vince Kornacki's picture

Make sure that that you set the "CFLAGS" environment variable before you run the "configure" script. This will configure the C compiler "-static" flag within your Makefile:

  root@debian $ grep ^CFLAGS Makefile
  CFLAGS = -static

After running "make" you should see a statically linked version of tcpdump for the ARM processor. Let me know if you still have any problems.

Cheers!

-Vince

0
Login to vote
paidcritic's picture

Thanks, Vince.  That did the trick.  I still get warnings (see below) but this executable does work on my Nexus5 (KitKat 4.4.4) without the "arptype 530 not supported" error. 

tcpdump.o: In function `droproot':
/home/timb/tcpdump/tcpdump-4.6.2/./tcpdump.c:740: warning: Using 'initgroups' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/home/timb/tcpdump/tcpdump-4.6.2/./tcpdump.c:715: warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
../libpcap-1.6.2/libpcap.a(nametoaddr.o): In function `pcap_nametoaddrinfo':
/home/timb/tcpdump/libpcap-1.6.2/./nametoaddr.c:128: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
addrtoname.o: In function `getname':
/home/timb/tcpdump/tcpdump-4.6.2/./addrtoname.c:246: warning: Using 'gethostbyaddr' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
../libpcap-1.6.2/libpcap.a(nametoaddr.o): In function `pcap_nametoaddr':
/home/timb/tcpdump/libpcap-1.6.2/./nametoaddr.c:102: warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
../libpcap-1.6.2/libpcap.a(nametoaddr.o): In function `pcap_nametonetaddr':
/home/timb/tcpdump/libpcap-1.6.2/./nametoaddr.c:146: warning: Using 'getnetbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
print-cnfp.o: In function `cnfp_print':
/home/timb/tcpdump/tcpdump-4.6.2/./print-cnfp.c:152: warning: Using 'getprotobynumber' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
../libpcap-1.6.2/libpcap.a(nametoaddr.o): In function `pcap_nametoproto':
/home/timb/tcpdump/libpcap-1.6.2/./nametoaddr.c:263: warning: Using 'getprotobyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
../libpcap-1.6.2/libpcap.a(nametoaddr.o): In function `pcap_nametoport':
/home/timb/tcpdump/libpcap-1.6.2/./nametoaddr.c:176: warning: Using 'getservbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
addrtoname.o: In function `init_servarray':
/home/timb/tcpdump/tcpdump-4.6.2/./addrtoname.c:734: warning: Using 'getservent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/home/timb/tcpdump/tcpdump-4.6.2/./addrtoname.c:754: warning: Using 'endservent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
print-sunrpc.o: In function `progstr':
/home/timb/tcpdump/tcpdump-4.6.2/./print-sunrpc.c:246: warning: Using 'getrpcbynumber' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

root@debian-toolshed:/home/timb/tcpdump/tcpdump-4.6.2# file tcpdump
tcpdump: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.18, BuildID[sha1]=97c4100d0372aa188306871c6e7c9cb207a35a67, not stripped

root@debian-toolshed:/home/timb/tcpdump/tcpdump-4.6.2# ls -lh tcpdump
-rwxr-xr-x 1 root root 2.8M Sep  7 20:04 tcpdump

root@debian-toolshed:/home/timb/tcpdump/tcpdump-4.6.2# ls -lh tcpdump-rwxr-xr-x 1 root root 1.5M Sep  7 20:13 tcpdump
root@debian-toolshed:/home/timb/tcpdump/tcpdump-4.6.2# file tcpdump
tcpdump: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.18, BuildID[sha1]=97c4100d0372aa188306871c6e7c9cb207a35a67, stripped

 

0
Login to vote