Wednesday, June 25, 2014

Wireshark on Android

The other day I found myself wishing I could run wireshark in realtime on an Android phone, but use the familiar GUI on my laptop. After a few minutes tinkering around, I was doing exactly that.

The phone belonged to an Android developer, so he'd already rooted it, enabled developer tools, etc... He'd also installed a packet capture application which worked, but didn't allow me to see things in real time.

The Android SDK bundle contains the adb binary, which is required for connecting to the phone. Extract adb and drop it somewhere in $PATH
 # run adb as root:  
 adb root  
 # connect to the phone over WiFi (the phone's owner had
 # already enabled this feature with 'adb tcpip' via USB):  
 adb connect <phone's wifi ip address>  
 # check that we get a root shell on the phone:  
 adb shell 'id'  

It turns out that the packet capture application included a tcpdump binary at /data/data/lv.n3o.shark/files/tcpdump, and invoking it from the adb shell worked normally. It produced the usual startup message, and then a one line summary of each packet.
 adb shell '/data/data/lv.n3o.shark/files/tcpdump -c 2'
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes
 12:37:04.053553 IP > P 2817938036:2817938134(98) ack 1887364010 win 1358 
 12:37:04.054244 IP > 12160+ PTR? (44)

Progress, but not wireshark. I expected that adding the '-w -' flag (write pcap data to STDOUT) to tcpdump would allow me to collect pcap data from adb's STDOUT on my macbook, and feed it into wireshark, but didn't give the result I wanted. There were two problems:
  1. Tcpdump's informational messages got mingled with the pcap data when the data came out of adb shell. This was a problem.
  2. Binary data pipelined through the adb shell got corrupted. The adb shell is a tty of some flavor, I guess, and this is not a safe way to pass binary data.
I solved the first problem by trashing tcpdump's informational messages. These go to STDERR on the phone, but were mingled with STDOUT when they reached the shell on the macbook. '2>/dev/null' (trash stderr) got rid of problem #1.

Problem #2 was resolved by base64 encoding the pcap data on the phone, before handing it to adb shell, and then removing the base64 encoding on the macbook. Fortunately there's a base64 binary in the root user's path on this Android phone.

The bits that go into the final solution are:
  • adb shell 'command' (run command on the phone)
  • tcpdump -w - 2>/dev/null | base64 (run tcpdump, trash STDERR, encode the output)
  • base64 -D (undo the base64 encoding - this runs on the mac)
  • wireshark -ki - (wireshark '-k' means start capture immediately, '-i -' means read from stdin)
Putting it all together we have:
 adb shell '/data/data/lv.n3o.shark/files/tcpdump -w - 2>/dev/null | base64' | base64 -D | wireshark -ki -  

Job done. The command above connects to the remote Android phone, fires up tcpdump on the phone, fires up wireshark on my laptop, and bolts the two together, making it possible to work with packets (as seen by the phone) in real time on a laptop.

It's not 100% real time, there's some batching and latency, but it was okay for my purposes. Adding tcpdump's '-U' flag might help here.


  1. Hi Chris, great post. seems that you are quite familiar with network monitoring tools. Just curious have you ever used a network analyzer called Colasoft Capsa?

    1. Almost every time I've seen a commercial packet analyzer tool, it was being wielded by someone without the foggiest idea of how to use it. Also, the problems they were looking at were either (a) not problems or (b) easily diagnosed with open source tools. These experiences have led me to the (possibly unfair) opinion that commercial packet analyzers are a bit like shoes with velcro closures.

    2. Haa, really interesting analogy. Maybe you are right.
      I don't like the commercial ones either. It's said that Capsa is a wireshark-like tool, also has a free edition for non-commercial use. That's why it attracts me. Well, I decide to have a check.

  2. This is cool stuff. I'm not an Android user or I'd try it out. BTW, someone did get Wireshark running on a rooted Android, but I think it'd be hard to do analysis with my eyes bleeding from looking at that small screen:

  3. hi, sorry for interrupting. I just want to run tcpdump in my phone's terminal without connected to pc. But it cannot work even after copy tcpdump into system/sbin. it report:tcpdump: no suitable device found. Do you know how to do it? I just want to capture data when OTG cable is plugined. thanks very much.

  4. No interruption here. Comments are enabled for a reason :)

    'no suitable device found' sounds to me like you're not running tcpdump as root.