How can I capture mobile phone traffic on Wireshark?
Here are some suggestions:
For Android phones, any network: Root your phone, then install tcpdump on it. This app is a tcpdump wrapper that will install tcpdump and enable you to start captures using a GUI. Tip: You will need to make sure you supply the right interface name for the capture and this varies from one device to another, eg -i eth0 or -i tiwlan0 - or use -i any to log all interfaces
For Android 4.0+ phones: Android PCAP from Kismet uses the USB OTG interface to support packet capture without requiring root. I haven't tried this app, and there are some restrictions on the type of devices supported (see their page)
For Android phones: tPacketCapture uses the Android VPN service to intercept packets and capture them. I have used this app successfully, but it also seems to affect the performance with large traffic volumes (eg video streaming)
For IOS 5+ devices, any network: iOS 5 added a remote virtual interface (RVI) facility that lets you use Mac OS X packet trace programs to capture traces from an iOS device. See here for more details
For all phones, wi-fi only: Set up your Mac or PC as a wireless access point, then run wireshark on the computer.
For all phones, wi-fi only: Get a capture device that can sniff wi-fi. This has the advantage of giving you 802.11x headers as well, but you may miss some of the packets
Capture using a VPN server: Its fairly easy to set-up your own VPN server using OpenVPN. You can then route your traffic through your server by setting up the mobile device as a VPN client and capture the traffic on the server end.
In addition to rupello's excellent answer, a "dirty" but very effective trick:
For all phones, any (local) network: Set up your PC to Man-In-The-Middle your mobile device.
Use Ettercap to do ARP spoofing between your mobile device and your router, and all your mobile's traffic will appear in Wireshark. See this tutorial for set-up details
Another option which has not been suggested here is to run the app you want to monitor in the Android emulator from the Android SDK. You can then easily capture the traffic with wireshark on the same machine.
This was the easiest option for me.
Wireshark + OSX + iOS:
Great overview so far, but if you want specifics for Wireshark + OSX + iOS:
install Wireshark on your computer
connect iOS device to computer via USB cable
connect iOS device and computer to the same WiFi network
run this command in a OSX terminal window: rvictl -s x where x is the UDID of your iOS device. You can find the UDID of your iOS device via iTunes (make sure you are using the UDID and not the serial number).
goto Wireshark Capture->Options, a dialog box appears, click on the line rvi0 then press the Start button.
Now you will see all network traffic on the iOS device. It can be pretty overwhelming. A couple of pointers:
don't use iOS with a VPN, you don't be able to make sense of the encrypted traffic
use simple filters to focus on interesting traffic
ip.addr==204.144.14.134 views traffic with a source or destination address of 204.144.14.134
http views only http traffic
Here's a sample window depicting TCP traffic for for pdf download from 204.144.14.134:
For Android phone I used tPacketCapture:
https://play.google.com/store/apps/details?id=jp.co.taosoftware.android.packetcapture&hl=en
This app was a lifesaver I was debugging a problem with failure of SSL/TLS handshake on my Android app. Tried to setup ad hoc networking so I could use wireshark on my laptop. It did not work for me. This app quickly allowed me to capture network traffic, share it on my Google Drive so I could download on my laptop where I could examine it with Wireshark! Awesome and no root required!
Packet Capture Android app implements a VPN that logs all network traffic on the Android device. You don't need to setup any VPN/proxy server on your PC. Does not needs root. Supports SSL decryption which tPacketCapture does not. It also includes a good log viewer.
Preconditions: adb and wireshark is installed on your computer and you have a rooted android device.
Download tcpdump to ~/Downloads
adb push ~/Downloads/tcpdump /sdcard/
adb shell
su root
mv /sdcard/tcpdump /data/local/
cd /data/local/
chmod +x tcpdump
./tcpdump -vv -i any -s 0 -w /sdcard/dump.pcap
CTRL+C after you've captured enough packets.
exit
exit
adb pull /sdcard/dump.pcap ~/Downloads/
Now you can open the pcap file using Wireshark.
Install Fiddler on your PC and use it as a proxy on your Android device.
Source: http://www.cantoni.org/2013/11/06/capture-android-web-traffic-fiddler
Similarly to making your PC a wireless access point, but can be much easier, is using reverse tethering. If you happen to have an HTC phone they have a nice reverse-tethering option called "Internet pass-through", under the network/mobile network sharing settings. It routes all your traffic through your PC and you can just run Wireshark there.
Make your laptop a wifi hotspot for your phone (any) and connect it to internet. Sniff Traffic on your wifi interface using wireshark.
you will get to know a lot of anti privacy stuff!
As a Wireshark alternative/companion for Android, you can try my open source app PCAPdroid. On non-rooted devices, it uses the VPNService to capture the traffic with some limitations. On rooted devices, it works like a user-friendly tcpdump.
You can analyze connections and packets payload directly into the app, or export the traffic in PCAP format to analyze it on a PC with Wireshark. It has many other cool features, give it a try!
For Android, I previously used tPacketCapture but it didn't work well for an app streaming some video. I'm now using Shark. You need to be root to use it though.
It uses TCPDump (check the arguments you can pass) and creates a pcap file that can be read by Wireshark. The default arguments are usually good enough for me.
I had a similar problem that inspired me to develop an app that could help to capture traffic from an Android device. The app features SSH server that allows you to have traffic in Wireshark on the fly (sshdump wireshark component). As the app uses an OS feature called VPNService to capture traffic, it does not require the root access.
The app is in early Beta. If you have any issues/suggestions, do not hesitate to let me know.
Download From Play
Tutorial in which you could read additional details
For iOS Devices:
⦿ Open Terminal and simply write:
rvictl -s udid
it'll open an interface on Wireshark with a name, In my case its rvi0.
udid is iPhone's unique device id.
(How to find my iOS Device UDID)
Related
I'm a developer of a VOIP calling app who's trying to troubleshoot connectivity issues.
I'd like to ship something in production that uploads pcap traces of it's own calls - particularly ones that drop, have high amounts of noise, or other nastiness.
There seem to be external apps (some of which require root) for capturing the network traffic of all apps - but no library that I can embed in my app and ship to help me debug.
Is there an easy to use solution for this?
I reccomend you to use Charles (especially when you use https): https://jaanus.com/debugging-http-on-an-android-phone-or-tablet-with-charles-proxy-for-fun-and-profit/
1. Wireshark
Run Wireshark on your laptop and setup your laptop as a hotspot. Connect your device to your laptop's hotspot, then run. Wireshark will capture all packets.
2. ADB
adb root > remount > shell
$su > tcpdump -w /sdcard/tcp > [CTRL-C] to stop > exit
adb pull /sdcard/tcp
I'm trying to capture traffic from an app on an Android phone and although I've set the proxy on the phone and can capture all other internet traffic coming from the phone (using Charles Proxy), I can't see any traffic for this one app.
How is this done, and how can I capture the traffic?
UPDATE:
If you need help setting up a wifi hotspot from your computer, so you
can connect your phone to it and Wireshark the traffic, just look at
the following link for directions:
http://www.wi-fiplanet.com/tutorials/article.php/3849841/How-to-Create-Wireless-Hosted-Networks-in-Windows-7.htm
If you want help decompiling an IOS app to assembly, look at this
link: http://www.infointox.net/?tag=arm
If you want a better Dex to Java decompiler than dex2jar, check this
out: https://github.com/skylot/jadx
There're several ways:
Connect your phone to your internal wifi access point (before connecting check advanced options and set a manual proxy).. Note: this method do not work for all network data.. some connections ignore this setting.
(works on rooted phones only) Install 'Shark for Root' application on your device... it will capture ALL traffic.. it will generated dump files that can be analized on your PC using Wireshark software
The best way: Setup your PC as a wifi access point and make your android device to use this wifi connection, then sniff the traffic using the same Wireshark application.
I strongly recommend you use something like "CharlesProxy" (or similar). Be aware of 2 things when u setup the proxy (I hope it is an application you are developing, otherwise be sure of what you do cause it can be ILEGAL):
1 - If you want to attack from your Android/iOS phone to the proxy installed in your local computer, you need the proxy to be configured to use the local IP:PORT (which means CharlesProxy needs to be configured as an address as 192.168.x.x if using a normal wifi network). Then, the Android/iOS phone needs to be setting the proxy to the same IP:PORT
2 - If the app uses https, there are several ways to manage HTTPS connections:
a) If your application accepts ALL Certificates, then it is not a problem for whatever proxy to capture and decrypt the information.
b) If your application accepts only system (and trusted) certificates, you have to export the charlesproxy certificate to your Android phone and to add it into the list of user's trusted certificates.
c) If your application is correctly doing "Certificate pinning", you won't be able to capture the traffic, unless you have the private certificate of your server and you add it in both (your phone) and the proxy configuration.
Hope it helps!
I am using ubuntu 10.04 LTS and have a android ICS device.
I created a wifi-hotspot in my android device. I am connecting the my ubuntu via the wifi-hotspot created above. I stared capturing the packets from wireshark in my pc.
I am unable to see the traffic generated from the device, rather I can see only the traffic from the pc.
Am I missing something or wrong?
You aren't seeing the traffic from the phone because your computer is only receiving and sending packets intended for the computer.
Maybe this will help? http://www.wireshark.org/faq.html#promiscsniff
It is possible that your wireless interface device either isn't in promiscuous mode or doesn't support it.
If i were you, i would scan for all hosts alive in the subnet.Sure android device acts as a hotspot using NAT or something, i'm sure.But the catch is it's moreover a server to which only your pc or whatever might be connected, i guess it would be your lapton. But android itself uses the external ip like service bsnl or something. So it's not at all a client connected to a router or something.
Still if you run an nmap scan you would surely see the default gateway ip, which is of the hotspot.
So, it's enough said right.
USB reverse tethering = Cellphone gets network connection from PC via USB.
I know how to do USB reverse tethering except for one problem: Many Android apps will check network connection using the code below before doing any useful work:
ConnectivityManager connectivityManager = (ConnectivityManager)context.getSystemService(Context.CONNECTIVITY_SERVICE);
NetworkInfo info = connectivityManager.getActiveNetworkInfo();
The problem is that, when using USB reverse tethering, the above code will report no network connection. However, there IS a network connection (which is the USB reverse tethering itself), and ping, wget and all programs not doing this stupid check work well.
So the question is: How can I hack the system to let this network connection check return success (so that I can fool these apps)?
BTW. I use Cyanogenmod 7. And any solution specific to this MOD is also welcome.
If you are doing this much hacking I am assuming that you will probably have your device rooted. If so program a shell interface to send commands to the device shell with JNI and receive STDOUT. Use this interface to run a netcfg command that can be parsed into an array - this will give you all the details the API hides. It also allows you to override Androids device settings using the ipconfig command.
As far as using this to send and receive from your device - in my experience - you will have to probably compile a device specif module that can be loaded into the kernel at run time. Or just download the kernel from the manufacturer and compile the module into the kernel and then flash the phone with the new custom kernel.
Hope this helps.
To do this , you have to download ReverseTethering_3.19.zip file (Google it to find the link.)
Extract to your desired location.
Prerequisite: -
only rooted phones work.
USB debugging should be enabled.
Now connect your rooted android mobile to PC through USB cable.Wait for PC to recognize your mobile. Now open the extracted zip file and open AndroidTool.exe with admin rights.
Now click connect in the android tool.
Now it tries to connect and installs USB tunneling apk on your device.It also asks for super user rights . Grant it.
Finally after successfully establishing the connection, you will see.
https://drive.google.com/file/d/0B11p07T8VxhNNUdIM3gtTFR4N3M/view?usp=sharing
(Sorry, I cant upload image.)
Now you get the internet on your mobile and usb tunneling app is installed.But you can access only HTTP connections(i.e;) works only in chrome. Play store apps may not work.
So you have to fool apps and make it believe that either is mobile is connected to WiFi or mobile data . Only then apps work.
So you have to go to Tools menu in Android tool.
https://drive.google.com/file/d/0B11p07T8VxhNRXR3aTVUZUl1dVk/view?usp=sharing
Now install hack(optional).It installs Xposed framework and installs hack connectivity apk. Just follow the instructions , it is easy.
Hack connectivity makes the apps believe that mobile is connected to WiFi or mobile data depending on which type of hack u did after installing Hack connectivity. Finally after hacking ,it asks for reboot. After reboot , you can enjoy internet using USB reverse tethering on all apps.
I'm working on a project to automate some tasks (such as play a song, play a video, receive bluetooth data, etc) on an Android phone from a PC.
Basically the PC will send a notifier to the phone and an app or something on the phone would then process the notifier and do 'something'. The opposite of this really:
http://code.google.com/p/android-notifier/
I've seen some examples showing how to send commands to an Android listener app or service via a network connection, but in this case, I would much rather the transmission be over a physical connection.
USB
Ideally, I'd like the connection to be via the USB port. But I've seen some posts online that suggest that the SDK does not natively support this. (Android apps, communicating with a device plugged in the USB port).
Is there some other SDK/API out there that makes this easier?
I've seen some posts on the ADB, but don't really get it... Would that work?
(http://developer.android.com/guide/developing/tools/adb.html)
Serial over USB
I've also seen some sites that show how to use a breakoutbox to perform bi-directional serial communication, but only with the G1. Is this possible with newer phones?
The Phone
I'm open to really any newish phone. I'm currently looking at the Galaxy S, because it has the video out through the headphone jack. I'm open to rooting if need be.
Implement a HTTP server in your app, then put your phone in USB Tether mode. This will create a local network between your phone and your PC. You should then be able to send HTTP request or create websockets using the phone's ip.
EDIT : I tested it, and it works, see here
What you can do is the phone acting as a server and then use adb to forward ports [1].
In this scenario the pc app would connect to localhost which would be redirected to the app on the phone via the usb cable.
But if you go this way, you might just as well simply connect directly to the phone's ip (without the adb port forwarding)...
[1] http://developer.android.com/guide/developing/tools/adb.html#forwardports