Video Screencast Help
Cyber Readiness and Response

Monitoring Android Network Traffic Part III: Installing & Executing TCPDUMP

Created: 10 Feb 2014 • Updated: 10 Feb 2014 • 8 comments
vince_kornacki's picture
+5 5 Votes
Login to vote

​In previous installments we installed our mobile development toolchain and cross compiled LIBPCAP and TCPDUMP. Now it's finally time to install and execute TCPDUMP! CyanogenMod includes a terminal emulator, however in my humble opinion it's much easier to type commands on a regular workstation keyboard. We can utilize the Android Debug Bridge (ADB) in order to connect to our CyanogenMod Mobile Device from our Debian Workstation. First we'll need to install the ADB package onto our Debian Workstation:

root@debian $ apt-get install android-tools-adb
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
android-tools-adb
[OUTPUT TRUNCATED]

Next we'll need to enable USB debugging on our CyanogenMod Mobile Device. Open the CyanogenMod "Settings" application and notice that there's currently no "Developer Options" menu under "SYSTEM":

      1.png

Time for another magic trick! Select "About tablet" and you'll see the CyanogenMod "Build number":

      2.png

Tap "Build number" seven times and CyanogenMod will magically enable the "Developer Options" menu. Tap the "Back" button to return to the main "Settings" menu and you'll now see the "Developer Options" menu under "SYSTEM":

      3.png

Now select the "Developer Options" menu and enable the "Android debugging" option:

      4.png

Note that in previous versions of CyanogenMod this option was called "USB debugging". You'll be prompted to confirm Android debugging. Go ahead and live dangerously. Note that if "USB debugging notify" is enabled (the default) you'll see the CyanogenMod logo within the notification area (the upper left corner of the screen) whenever your CyanogenMod Mobile Device is connected to your Debian Workstation. Finally we'll need to enable ADB root access by setting the "Root access" option to "Apps and ADB":

      5.png

Next let's connect our CyanogenMod Mobile Device to our Debian Workstation with a USB cable and confirm connectivity:

root@debian $ adb devices
List of devices attached
015d3fb62b30100b device

Now we'll need to restart the ADB daemon with root privileges, remount the /system partition read/write, and finally confirm root access with the following command sequence:

root@debian $ adb root
restarting adb as root

root@debian $ adb remount
remount succeeded

root@debian $ adb shell id
uid=0(root) gid=0(root) context=u:r:shell:s0

As you can see we now have a root shell on our CyanogenMod Mobile Device! Zesty! Next let's copy the cross compiled TCPDUMP executable onto our CyanogenMod Mobile Device:

root@debian $ cd tcpdump-4.5.1

root@debian $ adb push tcpdump /system/xbin/
1050 KB/s (1439792 bytes in 1.338s)

And now we can run finally execute TCPDUMP on our CyanogenMod Mobile Device:

root@debian $ adb shell tcpdump -h
tcpdump version 4.5.1
libpcap version 1.5.3
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ]
[ -P in|out|inout ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -V file ] [ -w file ]
[ -W filecount ] [ -y datalinktype ] [ -z command ]
[ -Z user ] [ expression ]

For example, the following TCPDUMP command will capture all HTTP packets transmitted over the wireless network interface:

root@debian $ adb shell tcpdump -i wlan0 -s 1514 -nSvX port 80

TCPDUMP in the houuuuuuuuuuuuse! Refer to the TCPDUMP man page for a detailed explanation of all command line options.  In our next and final installment we'll put on our fancy pants and forward packets captured by TCPDUMP on our CyanogenMod Mobile Device to Wireshark on our Debian Workstation in order to conduct realtime mobile device network traffic monitoring within a slick GUI interface. And the hits keep on rollin'!

Blog Entry Filed Under:

Comments 8 CommentsJump to latest comment

mjuni's picture

Thanks for such an awesome post. Can you please help me for this problem?

I have generated a **tcpdump** file. Instead of `Fedora`, I made this file on `Ubuntu 12.04` .

Everything worked smoothly and **tcpdump** file was produced correctly. I copied `tcpdump` file at `/system/bin/` on Nexus-5 and ran following commands.

    > adb shell
    # ln -s /system/bin/tcpdump /system/xbin/tcpdump
    # chmod 06755 /system/xbin/tcpdump
    # reboot

After restarting computer, when I run `> adb shell tcpdump -h` , I get following error:

    /system/bin/sh: tcpdump: No such file or directory

Edit1:

When I run  "tcpdump -h" on my ubuntu machine on virtuabox, it shows me following result:

tcpdump version 4.2.1
libpcap version 1.1.1
Usage: tcpdump [-aAbdDefhHIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
        [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
        [ -i interface ] [ -M secret ]
        [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
        [ -W filecount ] [ -y datalinktype ] [ -z command ]
        [ -Z user ] [ expression ]

 

Then I copy this tcpdump file on Windows-7 host machine and copy it to the device.

 

Thanks again,

+1
Login to vote
vince_kornacki's picture

Thank you very much for the compliment!  The /system/xbin directory should already be in your path, so you should not need to create that symbolic link. In addition, you should not need to reboot. Just copy the cross-compiled tcpdump executable into /system/xbin (or /system/bin if you prefer) and run "tcpdump -h" from the command line. If that does not work specify the explicit path "/system/xbin/tcpdump -h". If that does not work run "ls -l /system/xbin/tcpdump" and post the output.

Cheers!

-Vince

+1
Login to vote
mjuni's picture

 

Thanks again for your quick respose. 

I thought, copying tcpdump from Ubuntu to Windows and then Windows to Nexus might have created some problems (just in case), so I accessed Nexus-5 with gmtp on Ubuntu and copied tcpdump file in /sdcard directory. 

With adb shell, I copied tcpdump file to /system/xbin/ directory but file was not executable then (644). So I made it executable with

# chmod 755 tcpdump

and ran different commands as you suggested. Here is the output

>adb root

adbd is already running as root

>adb remount
remount succeeded

>adb shell tcpdump -h
/system/bin/sh: tcpdump: No such file or directory

>adb shell /system/xbin/tcpdump -h
/system/bin/sh: /system/xbin/tcpdump: No such file or directory

>adb shell ls -l /system/xbin/tcpdump
-rwxr-xr-x root     root       783200 2014-04-03 17:45 tcpdump

 

Edit1

Command "tcpdump -h" gives correct output as desired if run separately. So I accessed Nexus-5 in ubuntu and pushed via adb command like

$adb push tcpdump /system/xbin/

But now it shows this file as "shell"

$ adb shell ls -l /system/xbin/tcpdump 

-rwxr-xr-x root     shell      783200 2014-04-03 04:52 tcpdump

 

Even then, it does not work. I am sorry, I am not good at Linux commands. Thanks.

 

+1
Login to vote
vince_kornacki's picture

The "shell" group is fine, but the file size looks small. Are you sure the executable is statically linked? Can you run "file tcpdump" from the directory that contains the cross-compiled tcpdump executable on your Ubuntu workstation and post the output?

Have a great weekend!

-Vince

+1
Login to vote
mjuni's picture

Thanks again.

Everything worked fine last time. I've checked LDFLAGS=-static was set in export list.

Anyway, I repeated the process for both libcap and tcpdump but it didn't work. Please find below the commands output.

$ file tcpdump

tcpdump: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.31, BuildID[sha1]=0x741489dcfea5bcec345a02ee1fa7bc4b5bf4c336, not stripped

$ ls -lh tcpdump
-rwxrwxr-x 1 user user 2.3M Apr  4 17:17 tcpdump

$ arm-linux-gnueabi-strip tcpdump

$ ls -lh tcpdump
-rwxrwxr-x 1 user user 764K Apr  4 17:20 tcpdump

$ file tcpdump
tcpdump: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.31, BuildID[sha1]=0x741489dcfea5bcec345a02ee1fa7bc4b5bf4c336, stripped

+1
Login to vote
vince_kornacki's picture

If you inspect the output of either "file tcpdump" command above you'll see that the executable is "dynamically linked". That's a problem. Just before you "make" TCPDUMP can you run "grep LDFLAGS Makefile"? You should see the "-static" option (i.e., "LDFLAGS=-static"). If not you can edit the Makefile manually and try again.

Cheers!

-Vince

+1
Login to vote
mjuni's picture

Hi Vince,

Thanks very much for your detailed replies. I am not sure why LDFLAGS was being set to empty in tcpdump's  Makefile file. Anyway, before running "make" command, I made sure that it is set to "-static" and it worked fine.

On a side note, I was confused with the output of 'file tcpdump' because it matched with output given in part-II as

root@debian $ file tcpdump
tcpdump: ELF 32-bit LSB  executable, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, 

It also says dynamically linked. Anyway, now I am able to get http traffic on Ubuntu machine. I just need to figure out now how can I store all the traffic on my phone in a .cap file so that I can later analyze it with Wireshark. Hope to find new malwares soon. 

Thanks again for great tutorial and your help.

 

+1
Login to vote
Devo's picture

This is a very very helpful guidance. I mean the tutorial was brilliant and the comments are very helpful as well as the replies. I had the same problem as "mjuni" but when refereed to the replies everything works perfectly. Thank you both, specially you Vince_kornacki.

0
Login to vote