Sunday 31 March 2013

Capturing packets from an Android device and analyzing them on pc in real time

Capturing network packets on Android and analysing them in real time is not a trivial task. Various off the shelf apps exist for capturing packets however none of them comes close to tools available for pc such as Wireshark. Most of them just dump the packets to a file and aren't of much use.

This post explores one of the ways to analyse packets from an android device on a pc. This article on mobile.tutsplus.com is the place from where much of the work has been drawn from. The reason for making a separate post is because i couldn't get the capture to work by exactly following the directions given on the aforementioned website and i had to make a few changes of my own.

The following are the steps by which packets are captured from an android device and then sent to a pc for analysis.


  1. capture packets using tcpdump
  2. pipe the packets to a netcat server (which basically means that we are sending the packets to a netcat server from where they can be fetched by a client connecting to the server).
  3. using adb forward command forward the remote port (the port on which netcat server is listening) of the android device  to a local port of the PC (wiz making a port on the droid available as a port on pc) .
    the syntax of adb forward command is:
    adb forward <local_port (on PC) > <remote_port (on droid) >
  4. connecting a netcat client to the forwarded port on PC and getting the packets.
  5. piping / routing the packets from netcat to wireshark.
before getting started arm images of tcpdump and netcat must be present on the droid. (did i mention that the droid must be rooted?)

to check if you have correct images file command can be used (on Linux, windows users might use web services such as virus total as they also give the description of the file along with virus scan report).

For getting help with installing these tools on droid the mobile.tutsplus.com article can be referenced.

Once we are ready with all the tools the following steps haave to be followed:
  1. obtain a shell on device (adb shell) and switch to root user (su).
  2. execute the following command
    /data/local/tcpdump -n -s 0 -w - | /data/local/nc -l -p 12345 (on my droid tcpdump and netcat executables were present in /data/local)
  3. forward the port 12345 (port on which netcat is listening) of the droid to port number 54321 on the PC. The command for doing this is:
      adb forward tcp:54321 tcp:12345
  4. connect the netcat client on pc to local port 54321 using the following command and redirect its output to /dev/null (i am on a linux machine).
     nc 127.0.0.1 54321 > /dev/null
  5. open wireshark and start capturing packets on the local loopback interface (not awailable on windows).
  6. Apply the following filter in wireshark to limit displaying of packets from port 54321 only
    tcp.port eq 54321
  7. voila! the packets can now be seen in wireshark.
My system configuration:
OS: ubuntu 12.04
android device: micromax canvas 2 (a110) running android 4.0.4 on a dual core processor ;)

Some of the problems i faced and their solutions:

when using a named pipe by creating one with mkfifo command , piping netcat's output to this pipe and then reading from this pipe in wire shark (using -i switch) the packets were not seen by wireshark as TCP packets however when i tried the above mentioned method , it worked correctly.

Next challenge :
When using facebook chat or whatsapp the packets weren't shown in wireshark, maybe tcpdump is at fault. so the next challenge would be to somehow analyse packets from these two apps.
Also since all the output is obtained from one single port, wireshark sees the all the packets as a part of one giant TCP connection.