I. Preparation: 1. the Android phone requires the root permission first. One way to check whether the root permission is obtained: Install and enable the terminal simulator (which can be obtained through channels such as the Android Market ). On the terminal simulator interface, enter su and press Enter. If an error is reported, it indicates that no root is displayed. if the command prompt is changed from $ to #, it indicates that no root is returned. 2. if the Android phone is not yet root, access is allowed.
I. preparation:
1. the Android phone must first obtain the root permission. One way to check whether the root permission is obtained: Install and enable the terminal simulator (which can be obtained through channels such as the Android Market ). On the terminal simulator interface, enter su and press Enter. If an error is reported, it indicates that no root is returned. if the command prompt is changed from $ to #, it is "rooted;
2. if the Android mobile phone is not root, you can use superoneclick or other methods to perform root processing (you need to install Microsoft. NETFramework first ). Superoneclick brush root permissions tutorial :( http://soft.shouji.com.cn/news/501.shtml)
3. obtain the Android SDK first.
4. requiredTcpdumpSoftware
II. packet capture steps:
1. connect the Android mobile phone to the computer USB and open the mac terminal
2. copy the tcpdump program to the android mobile phone. (the directory file in front of this command is the local address, and the directory in the back is the destination mobile address)
My: platform-tools hui $ adb push ~ /Downloads/tcpdump/data/local/tcpdump
3. modify tcpdump permissions
My: platform-tools hui $ adb shell
Shell @ edison:/$ chmod 777/data/local/tcpdump
4. enter the root permission
Shell @ edison:/$ su
After running the su command, a prompt message is displayed on the desktop of the mobile terminal to confirm your acceptance of the root operation.
5. run tcpdump and run the following command to start packet capture.
/Data/local/tcpdump-p-vv-s 0-w/sdcard/capture. pcap
6. execute the operations on the mobile phone end that require packet capture analysis. after the execution is complete, execute Ctrl + C in the command prompt window to interrupt the packet capture process.
7. copy the packet capture result to the local device (the previous directory is the mobile phone address, and the subsequent directory is the local address)
My: platform-tools hui $ adb pull/sdcard/capture. pcap ~ /Downloads
8. use Wireshark and other tools to view the captured File capture. pcap
Wireshark For Mac (64-bit) 1.11.2: http://www.onlinedown.net/softdown/109518_2.htm
Windows wireshark, Chinese version address: http://www.onlinedown.net/softdown/2883_2.htm, English version address (need to flip the wall): http://www.wireshark.org/download.html
Use wireshark to open capture. pcap to analyze logs.
Wireshark specific visibility: http://www.cnblogs.com/TankXiao/archive/2012/10/10/2711777.html
III. Analysis of tcpdump commands:
$ Tcpdump -- help
Tcpdump version 3.9.8
Libpcap version 0.9.8
Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [-Cfile_size]
[-E algo: secret] [-F file] [-I interface] [-M secret]
[-R file] [-s snaplen] [-T type] [-w file]
[-W filecount] [-y datalinktype] [-Z user]
[Expression]
Tcpdump adopts the command line method. its command format is:
Tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name]
[-I network interface] [-r file name] [-s snaplen]
[-T type] [-w file name] [expression]
1. Introduction to tcpdump options
-A converts a network address and broadcast address into a name;
-D. give the code that matches the information package in an assembly format that people can understand;
-Dd provides the code that matches the information package in the format of the C program segment;
-Ddd provides the matching information package code in decimal format;
-E prints the header information of the data link layer in the output line;
-F print the Internet address in numbers;
-L changes the standard output to the buffer row format;
-N does not convert the network address into a name;
-T no timestamp is printed on each output line;
-V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information;
-Vv: output detailed message information;
-C. after receiving the specified number of packages, tcpdump stops;
-F read the expression from the specified file and ignore other expressions;
-I indicates the network interface of the listener;
-R reads packets from a specified file (these packets are generally generated using the-w option );
-W directly writes the package into the file and does not analyze or print it out;
-T directly interpret the packet to be listened to as a specified type of message. Common types include rpc (remote process
Call) and snmp (Simple Network Management Protocol ;)
2. Introduction to tcpdump expressions
A regular expression is used by tcpdump to filter packets.
The packet will be captured. If no conditions are provided, all information packages on the network will
Intercepted.
In an expression, the following types of keywords are generally used. one is about the types of keywords, including host,
Net, port, for example, host 210.27.48.2, indicating that 210.27.48.2 is a host, and net 202.0.0.0 indicates
202.0.0.0 is a network address and port 23 indicates that the port number is 23. If no type is specified, the default type is
Host.
The second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src,
These keywords indicate the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.
48.2, dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified
The default value is the src or dst keyword.
The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates that
The specific network protocol on FDDI (distributed optical fiber data interface network) is actually the alias of "ether", fddi and e
Ther has a similar source address and destination address, so you can use the fddi protocol package as the ether package for processing and analysis.
The other keywords indicate the protocol content of the listener package. If no protocol is specified, tcpdump will
Listen to the information packages of all protocols.
In addition to the three types of keywords, other important keywords are as follows: gateway, broadcast, less,
Greater, there are three logical operations. The non-operation is 'not ''! ', And the operation is 'and',' & '; or the operation is 'o
R', '| ';
These keywords can be combined to form a powerful combination condition to meet people's needs. The following are several examples:
Description.
(1) all packets received and sent by all hosts 210.27.48.1 are to be intercepted:
# Tcpdump host 210.27.48.1
(2) to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, run the following command:
(When using parentheses in the command line, be sure
# Tcpdump host 210.27.48.1 and/(210.27.48.2 or 210.27.48.3 /)
(3) If you want to obtain an IP packet for all hosts except 210.27.48.1 and 210.27.48.2
, Run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2
(4) to obtain the telnet packet received or sent by the host 210.27.48.1, run the following command:
# Tcpdump tcp port 23 host 210.27.48.1
3. Introduction to output results of tcpdump
Below we will introduce the output information of several typical tcpdump commands.
(1) data link layer header information
Run the command # tcpdump -- e host ice
Ice is a linux host. her MAC address is 0: 90: 27: 58: AF: 1A.
H219 is a SUN workstation with SOLARIC installed. its MAC address is 8: 0: 20: 79: 5B: 46; the previous one
Command output is as follows:
21:50:12. 847509 eth0 ice.
Telnet 0: 0 (0) ack 22535 win 8760 (DF)
Analysis: 21: 50: 12 indicates the display time, 847509 indicates the ID number, and eth0 indicates the display time.
The packet. eth0> indicates that the packet is sent from the network interface device. 8: 0: 20: 79: 5b: 46 is the MAC address of the host H219.
Indicates that the data packet is sent from the source address H219. 0: 90: 27: 58: af: 1a is the MAC address of the host ICE, indicating
The destination address is ICE. ip indicates that the data packet is an IP packet, 60 indicates the length of the data packet, and h219.33357> ice.
Telnet indicates that the packet is sent from Port 33357 of host H219 to port. ack 22535 of TELNET (23) of host ICE
Indicates to respond to a packet whose serial number is 222535. win 8760 indicates that the size of the sending window is 8760.
(2) TCPDUMP output information of ARP packets
Run the command # tcpdump arp
The output result is:
22:32:42. 802509 eth0> arp who-has route tell ice (0: 90: 27: 58: af: 1a)
22:32:42. 802902 eth0
: 1a)
Analysis: 22:32:42 is the timestamp, 802509 is the ID number, eth0> indicates that the packet is sent from the host, arp indicates that the packet is
ARP Request packet. who-has route tell ice indicates the MAC address of the host's ROUTE request by the host ICE. 0: 90: 27: 5
8: af: 1a is the MAC address of the host ICE.
(3) TCP packet output information
The common output information of TCP packets captured with TCPDUMP is:
Src> dst: flags data-seqno ack window urgent options
Src> dst: Indicates from the source address to the destination address. flags indicates the flag information in the TCP packet, S indicates the SYN mark, and F (F
IN), P (PUSH), R (RST) "." (not marked); data-seqno is the sequence number of data IN the data packet, and ack is
The sequence number expected next time. window indicates the size of the window that receives the cache. urgent indicates whether there is an emergency pointer in the data packet.
Options is an option.
(4) UDP packet output information
The general output information of the UDP packet captured with TCPDUMP is:
Route. port1> ice. port2: udp lenth
UDP is very simple. the output line above indicates a UDP packet sent from the port1 port of the host ROUTE to the host
Port 2 of ICE, UDP type, and lenth package length