Capture Android data packets using tcpdump

Source: Internet
Author: User
I. Preparation: 1. the Android phone requires the root permission first. One way to check whether the root permission is obtained: Install and enable the terminal simulator (which can be obtained through channels such as the Android Market ). On the terminal simulator interface, enter su and press Enter. If an error is reported, it indicates that no root is displayed. if the command prompt is changed from $ to #, it indicates that no root is returned. 2. if the Android phone is not yet root, access is allowed.

I. preparation:

1. the Android phone must first obtain the root permission. One way to check whether the root permission is obtained: Install and enable the terminal simulator (which can be obtained through channels such as the Android Market ). On the terminal simulator interface, enter su and press Enter. If an error is reported, it indicates that no root is returned. if the command prompt is changed from $ to #, it is "rooted;

2. if the Android mobile phone is not root, you can use superoneclick or other methods to perform root processing (you need to install Microsoft. NETFramework first ). Superoneclick brush root permissions tutorial :( http://soft.shouji.com.cn/news/501.shtml)

3. obtain the Android SDK first.

4. requiredTcpdumpSoftware

II. packet capture steps:

1. connect the Android mobile phone to the computer USB and open the mac terminal

2. copy the tcpdump program to the android mobile phone. (the directory file in front of this command is the local address, and the directory in the back is the destination mobile address)

My: platform-tools hui $ adb push ~ /Downloads/tcpdump/data/local/tcpdump

3. modify tcpdump permissions

My: platform-tools hui $ adb shell

Shell @ edison:/$ chmod 777/data/local/tcpdump

4. enter the root permission

Shell @ edison:/$ su

After running the su command, a prompt message is displayed on the desktop of the mobile terminal to confirm your acceptance of the root operation.

5. run tcpdump and run the following command to start packet capture.

/Data/local/tcpdump-p-vv-s 0-w/sdcard/capture. pcap

6. execute the operations on the mobile phone end that require packet capture analysis. after the execution is complete, execute Ctrl + C in the command prompt window to interrupt the packet capture process.

7. copy the packet capture result to the local device (the previous directory is the mobile phone address, and the subsequent directory is the local address)

My: platform-tools hui $ adb pull/sdcard/capture. pcap ~ /Downloads

8. use Wireshark and other tools to view the captured File capture. pcap

Wireshark For Mac (64-bit) 1.11.2: http://www.onlinedown.net/softdown/109518_2.htm

Windows wireshark, Chinese version address: http://www.onlinedown.net/softdown/2883_2.htm, English version address (need to flip the wall): http://www.wireshark.org/download.html

Use wireshark to open capture. pcap to analyze logs.

Wireshark specific visibility: http://www.cnblogs.com/TankXiao/archive/2012/10/10/2711777.html

III. Analysis of tcpdump commands:

$ Tcpdump -- help

Tcpdump version 3.9.8

Libpcap version 0.9.8

Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [-Cfile_size]

[-E algo: secret] [-F file] [-I interface] [-M secret]

[-R file] [-s snaplen] [-T type] [-w file]

[-W filecount] [-y datalinktype] [-Z user]

[Expression]

Tcpdump adopts the command line method. its command format is:

Tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name]

[-I network interface] [-r file name] [-s snaplen]

[-T type] [-w file name] [expression]

1. Introduction to tcpdump options

-A converts a network address and broadcast address into a name;

-D. give the code that matches the information package in an assembly format that people can understand;

-Dd provides the code that matches the information package in the format of the C program segment;

-Ddd provides the matching information package code in decimal format;

-E prints the header information of the data link layer in the output line;

-F print the Internet address in numbers;

-L changes the standard output to the buffer row format;

-N does not convert the network address into a name;

-T no timestamp is printed on each output line;

-V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information;

-Vv: output detailed message information;

-C. after receiving the specified number of packages, tcpdump stops;

-F read the expression from the specified file and ignore other expressions;

-I indicates the network interface of the listener;

-R reads packets from a specified file (these packets are generally generated using the-w option );

-W directly writes the package into the file and does not analyze or print it out;

-T directly interpret the packet to be listened to as a specified type of message. Common types include rpc (remote process

Call) and snmp (Simple Network Management Protocol ;)

2. Introduction to tcpdump expressions

A regular expression is used by tcpdump to filter packets.

The packet will be captured. If no conditions are provided, all information packages on the network will

Intercepted.

In an expression, the following types of keywords are generally used. one is about the types of keywords, including host,

Net, port, for example, host 210.27.48.2, indicating that 210.27.48.2 is a host, and net 202.0.0.0 indicates

202.0.0.0 is a network address and port 23 indicates that the port number is 23. If no type is specified, the default type is

Host.

The second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src,

These keywords indicate the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.

48.2, dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified

The default value is the src or dst keyword.

The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates that

The specific network protocol on FDDI (distributed optical fiber data interface network) is actually the alias of "ether", fddi and e

Ther has a similar source address and destination address, so you can use the fddi protocol package as the ether package for processing and analysis.

The other keywords indicate the protocol content of the listener package. If no protocol is specified, tcpdump will

Listen to the information packages of all protocols.

In addition to the three types of keywords, other important keywords are as follows: gateway, broadcast, less,

Greater, there are three logical operations. The non-operation is 'not ''! ', And the operation is 'and',' & '; or the operation is 'o

R', '| ';

These keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples:

Description.

(1) all packets received and sent by all hosts 210.27.48.1 are to be intercepted:

# Tcpdump host 210.27.48.1

(2) to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command:

(When using parentheses in the command line, be sure

# Tcpdump host 210.27.48.1 and/(210.27.48.2 or 210.27.48.3 /)

(3) If you want to obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2

, Run the following command:

# Tcpdump ip host 210.27.48.1 and! 210.27.48.2

(4) to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:

# Tcpdump tcp port 23 host 210.27.48.1

3. Introduction to output results of tcpdump

Below we will introduce the output information of several typical tcpdump commands.

(1) data link layer header information

Run the command # tcpdump -- e host ice

Ice is a linux host. her MAC address is 0: 90: 27: 58: AF: 1A.

H219 is a SUN workstation with SOLARIC installed. its MAC address is 8: 0: 20: 79: 5B: 46; the previous one

Command output is as follows:

21:50:12. 847509 eth0 ice.

Telnet 0: 0 (0) ack 22535 win 8760 (DF)

Analysis: 21: 50: 12 indicates the display time, 847509 indicates the ID number, and eth0 indicates the display time.

The packet. eth0> indicates that the packet is sent from the network interface device. 8: 0: 20: 79: 5b: 46 is the MAC address of the host H219.

Indicates that the data packet is sent from the source address H219. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE, indicating

The destination address is ICE. ip indicates that the data packet is an IP packet, 60 indicates the length of the data packet, and h219.33357> ice.

Telnet indicates that the packet is sent from Port 33357 of host H219 to port. ack 22535 of TELNET (23) of host ICE

Indicates to respond to a packet whose serial number is 222535. win 8760 indicates that the size of the sending window is 8760.

(2) TCPDUMP output information of ARP packets

Run the command # tcpdump arp

The output result is:

22:32:42. 802509 eth0> arp who-has route tell ice (0: 90: 27: 58: af: 1a)

22:32:42. 802902 eth0

: 1a)

Analysis: 22:32:42 is the timestamp, 802509 is the ID number, eth0> indicates that the packet is sent from the host, arp indicates that the packet is

ARP Request packet. who-has route tell ice indicates the MAC address of the host's ROUTE request by the host ICE. 0: 90: 27: 5

8: af: 1a is the MAC address of the host ICE.

(3) TCP packet output information

The common output information of TCP packets captured with TCPDUMP is:

Src> dst: flags data-seqno ack window urgent options

Src> dst: Indicates from the source address to the destination address. flags indicates the flag information in the TCP packet, S indicates the SYN mark, and F (F

IN), P (PUSH), R (RST) "." (not marked); data-seqno is the sequence number of data IN the data packet, and ack is

The sequence number expected next time. window indicates the size of the window that receives the cache. urgent indicates whether there is an emergency pointer in the data packet.

Options is an option.

(4) UDP packet output information

The general output information of the UDP packet captured with TCPDUMP is:

Route. port1> ice. port2: udp lenth

UDP is very simple. the output line above indicates a UDP packet sent from the port1 port of the host ROUTE to the host

Port 2 of ICE, UDP type, and lenth package length

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.