Video Screencast Help
Cyber Readiness and Response

Monitoring Android Network Traffic Part IV: Forwarding To Wireshark

Created: 10 Feb 2014 • Updated: 10 Jul 2014 • 4 comments
vince_kornacki's picture
+5 5 Votes
Login to vote

In previous installments we constructed our mobile development toolchain and cross compiled, installed, and executed TCPDUMP on our CyanogenMod Mobile Device. Now it's time to complete our mission by forwarding packets captured by TPCDUMP on our CyanogenMod Mobile Device to Wireshark on our Debian Workstation in order to conduct realtime mobile device network traffic monitoring within a slick GUI interface. First we'll need to download Netcat, the network Swiss army knife. And of course we'll need to cross compile Netcat for ARM processors. I sure hope you were paying attention in the previous installments! First unpack Netcat:

root@debian $ tar zxvf netcat-0.7.1.tar.gz
[OUTPUT TRUNCATED]

Then move into the newly created Netcat directory and set the "CC" environment variable to specify the ARM C compiler and the "LDFLAGS" environment variable to specify static linking:

root@debian $ cd netcat-0.7.1

root@debian $ export CC=arm-linux-gnueabi-gcc

root@debian $ export LDFLAGS=-static

Note this environment variable syntax is specific to Bash and other Bourne shell derivatives. Now configure and make Netcat:

root@debian $ ./configure --host=arm-linux
[OUTPUT TRUNCATED]

root@debian bash $ make
[OUTPUT TRUNCATED]

The cross compiled library will be located in the source directory, so let's move there. Survey says?

root@debian bash $ cd src/

root@debian bash $ file netcat
netcat: ELF 32-bit LSB  executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.18, BuildID[sha1]=7897b8bee37231a10b259e8be5832a6371d9ae47, not stripped

Winner Winner Chicken Dinner! Cross compiling was successful! Let's decrease the file size by more than 20% by stripping the symbols:

root@debian bash $ arm-linux-gnueabi-strip netcat

Finally let's copy Netcat from our Debian Workstation to our CyanogenMod Mobile Device:

root@debian bash $ adb push netcat /system/xbin
1238 KB/s (564848 bytes in 0.445s)

Now it's time for our final trick! First we'll need a root shell on our CyanogenMod Mobile Device, so if you don't already have one let's make it happen:

root@debian $ adb root
restarting adb as root

root@debian $ adb remount
remount succeeded

Next let's configure ADB to enable port forwarding between a port on the CyanogenMod Mobile Device and a port on the Debian Workstation:

root@debian $ adb forward tcp:31337 tcp:31337

This port will be forwarded over the USB cable unless you've enabled the "ADB over network" option. You can verify port forwarding with the following command:

root@debian $ adb forward --list
015d3fb62b30100b tcp:31337 tcp:31337

You can select any port that is not being used on the CyanogenMod Mobile Device or Debian Workstation. You can even select different port numbers on the CyanogenMod Mobile Device and Debian Workstation, but that makes things a little confusing. Keep it simple, stupid. Now let's execute TCPDUMP in order to capture all HTTP packets transmitted over the wireless network interface and then utilize Netcat to transmit them to the forwarded port on the CyanogenMod Mobile Device:

root@debian $ adb shell "tcpdump -i wlan0 -s 1514 -w - -nS port 80 | netcat -l -p 31337"

Make sure you include the quotation marks so that Netcat is executed on our CyanogenMod Mobile Device, not our Debian Workstation. Finally let's execute Wireshark in order to receive packets from the forwarded port on the Debian Workstation:

root@debian $ netcat localhost 31337 | wireshark -i - -kS

Now we'll see all packets that are captured on our CyanogenMod Mobile Device displayed within Wireshark on our Debian Workstation:

6.png

#Winning! Note that the Wireshark "Stop" and "Start" buttons won't work. If you want to restart the packet capture or modify the packet capture settings you'll have to relaunch the last two commands. Well it's been a long and hopefully rewarding journey. We installed our mobile development toolchain, cross compiled LIBPCAP and TCPDUMP, installed and executed TCPDUMP on our mobile device, and finally put all the pieces together in order to forward packets captured by TPCDUMP on our CyanogenMod Mobile Device to Wireshark on our Debian Workstation in order to conduct realtime mobile device network traffic monitoring within a slick GUI interface. The Holy Grail!

Blog Entry Filed Under:

Comments 4 CommentsJump to latest comment

Devo's picture

I am following the tutorial from beginning.

Now, I am trying to workout through this page and so far, everything runs smoothly. In fact, everything runs so smooth that I don't see any capturing on Wireshark GUI !!. 

I followed everything to the letter and what I can see on wireshark is:

Waiting for capture input data ...

So, I tried to run a very simple tcpdump command on my Cynaogenmod:

adb shell "tcpdump -i wlan0 | netcat -l -p 31337"

then, on another terminal on my Ubuntu, I ran Wireshark

netcat localhost 31337 | wireshark -i - -kS

again, the result is:

Waiting for capture input data ...

btw, after executing the tcpdump, the following msg appears on terminal:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes

what could be the problem ? thank you 

0
Login to vote
vince_kornacki's picture

You should include the "-s 1514" option to limit output to packet headers and the "-w -" option to write the packet headers to standard output (i.e., to Netcat) instead of printing them. So try this command instead:

root@debian $ adb shell "tcpdump -i wlan0 -s 1514 -w - | netcat -l -p 31337"

Let me know if that works. Cheers!

+1
Login to vote
Devo's picture

First of all, thank you for your quick response ...

IT WORKS NOW

Here is what I did:

  1. Re-enabled port forwarding in CyanogenMod, then ...
  2. Ran your command-line on a terminal, then ...
  3. Started Wireshark from another terminal, 

The result:

  • For a while, this is what Wireshark was showing: "Wiating for capture input data ...", (just same as before.)
  • I forgot about the whole thing for a while, I came back and noticed that my phone-screen was off.
  • I open my phone's screen lock, and VOILA, everything pops up on Wireshark.

So, I guess everything works finw now (which also means it was working before). There is no problem now, neither was before. All is missing was Turning my phone-screen on.

However, I found it much easier to just run the TCPDump on the Cyanogenmod and save the result using "-w" option (to write the output to a file) and then open the binary file in any machine that has Wireshark. what do you think ?

Another question: which terminal should I exit first after captureing ?! i.e.: should I quit the adb shell and then close Wireshark or vice versa ?!

0
Login to vote
vince_kornacki's picture

Using the "-w filename" option to write the packet headers to a file works just as well. It is a matter of personal preference. Also, it does not matter which terminal you close first. Cheers!

0
Login to vote