Go to capture a packet on your Android smartphone

How do I capture a packet on my Android smartphone?

This article by csdn-蚍蜉 Shake Pine "Homepage: HTTP://BLOG.CSDN.NET/HOWEVERPF" original, reprint please indicate the source!

The current Android system is becoming more and more popular, whether for Android app developers, or for network security researchers, it is possible to grasp the capture of Android application communication packet method. According to the technical means, the commonly used methods are divided into two categories, one is through the Android Smart Mobile terminal access to the upper layer network devices or lines to obtain data flow, the other is directly on the Android mobile terminal to listen to the data stream. This article mainly discusses the second kind of method, the following respectively on the preparation, general steps, frequently asked questions, extended description four aspects. (because I am using an Android phone, so the text is described in the context of the Android phone, but in fact, the content of this article is the Android mobile terminal can basically be universal)

The so-called practice, we recommend that you read this article or can actually choose an android application analysis. I personally use the capture technology described in this article to analyze the network communication behavior of Baidu Paste-up Android client, analysis results see my previous blog post "Baidu paste client (Android) network communication Behavior Analysis", you can also download the full PDF version of the analysis report, the address is:/http download.csdn.net/detail/ping_fani07/6028411.

First, pre-preparation 1.1 for Android phone root permission to unlock

Root is the Super Admin account in the Android phone system, with root privileges (that is, underlying permissions) similar to the administrator permissions we have under the Windows system. By default, in order to prevent system files from being changed, the Android system does not open the root account to our normal users, we must first unlock root privileges to get root privileges. The internet generally put the root of the Android phone is unlocked, referred to as whether the Android phone root.

Over the years, a large number of mobile root tools have sprung up online, using your own mobile phone model, and you should be able to find the right tool for you. As a Huawei party, I finally used the Brush Machine Wizard , two times after the successful unlock root permissions. After unlocking successfully, the Brush Wizard will install an authorization Management tool on the phone to help us manage which apps and programs can get root authorization. The latest version of the Authorization Management tool also comes with a toolbox, you can freely uninstall the preinstalled software and system software on the phone, very worry, very convenient! Brush Wizard Use Tutorial reference: "Phone root access method: [4] Brush Machine Wizard".

1.2 Downloads related Tools

There are two main tools to use, Tcpdump (Android version) and ADB. Packaged as: http://download.csdn.net/detail/ping_fani07/6218853.

Tcpdump is an open Source Network Protocol analysis tool commonly used in Linux systems, using the method detailed: "Tcpdump".

ADB is an Android remote debugging tool provided by Google and should be used in detail: "Introduction to ADB command". If you use the Brush Wizard to unlock the root of your phone, you can find the ADB command line in the Brush Wizard 's utility, call this tool directly without having to download it, or if you have previously built an Android development environment, you should also The tool is found under the ***\platform-tools directory.

Ii. General Steps

In order to make everyone look convenient, I first put all the steps pull-through on a picture, give everyone an intuitive impression, 2-0. (considering the generality, before uploading the tcpdump to modify the target directory permissions on the phone, some phones do not.) ）

Figure 2-0 The complete process of first grabbing a packet on a mobile phone

Here are the step-by-steps explanations, some of which are only needed for the first time, using the "first time only" callout (that is, the part circled with a white box in Figure 2-0).

• (1) Place the Adb.exe in the appropriate directory and add the full path of the directory to the Windows path environment variable. "First time Only" "The Android development environment has been built and no need for this step"
• (2) Open the Windows Command Prompt window and enter the command: ADB version, if the versions of ADB are displayed properly, then the previous environment variable setting is not a problem, and the Adb.exe itself is complete, 2-1; Conversely, it may be Adb.exe If the file itself is corrupted, the environment variable is set incorrectly, or the environment variable is set and not yet in effect, check it yourself. "Just the first time"

Figure 2-1 Check that the ADB tools are available properly

• (3) Check the Android phone "USB debugging", the Android phone connected to the computer USB, the command Prompt window Input command: ADB devices, if the normal display of the device number of the connected phone, then the connection is successful, 2-2. (Note: Some phones may have a problem with the device number, the display is a question mark, which is also possible, does not affect the subsequent operation)

Figure 2-2 See if the PC and Android phone are connected successfully

• (4) Upload tcpdump (for Android) to your Android phone and enter a command in the command Prompt window: adb push <LocalPath of tcpdump> / Data/local/tcpdump, 2-3. "Just the first time"

Figure 2-3 Uploading Tcpdump

• (5) Add executable permission to tcpdump , 2-4. "Just the first time"
  • Use the commands in the Command Prompt window to open the terminal shell of the Android phone remotely from the ADB shell;
  • Use the SU command in the current shell to get administrator privileges;
  • Use the chmod command in the current shell to modify tcpdump permissions.

Figure 2-4 Modifying permissions for Tcpdump

• (6) Use tcpdump to grab the packet and write the result to a pcap file to save, 2-5.
  • Use the commands in the Command Prompt window to open the terminal shell of the Android phone remotely from the ADB shell;
  • Use the SU command in the current shell to get administrator privileges;
  • Enter the command in the current shell:/data/local/tcpdump-p-S 0-w/sdcard/001.pcap;
  • On the Android phone to do related operations, generate communication packets, the communication behavior after the completion of the command Prompt window with the Ctrl + C key combination to exit the current shell to stop grasping the package.

Figure 2-5 grasping the package process

In the above procedure, the parameters of the Tcpdump command have the following meanings:
# "-P": Disable promiscuous mode (does not use promiscuous mode)
# "-S 0": Capture the entire packet (-s parameter to specify the packet capture length, specified here as 0, meaning to crawl the complete packet)
# "-W *.pcap": Write packets to a file (writes the result to a pcap file instead of displaying directly on the terminal)

• (7) Download the capture results to your local PC. Use commands in the Command Prompt window: adb pull/sdcard/001.pcap <LocalPath of Pcapfile >,2-6.

Figure 2-6 Download capture results to local

• (8) Use the Wireshark and other protocol analysis tools to view the results of the capture package.

Third, the resolution of the common problems 3.1 parts of mobile phone using the ADB push command to upload tcpdump failed

Hint message: "Failed to copy ' D:/tcpdump ' to '/data/local/tcpdump ': Permission denied";

Cause of Error: The destination directory on the Android phone does not have write permission;

Workaround: Add write permission to the destination directory/data/local on the Android phone, step 4-1;

Figure 4-1 Adding write permissions to the/data/local directory

3.2 Parts of the phone failed to change permissions on a file or directory using the chmod command

Hint message: "Read-only file System";

The reason for the error: literally, that is, the file system is read-only, not allowed to change the permissions; "It seems to be the problem on the classmate's Xiaomi phone."

Workaround: Mount the root directory again and specify it as read-write when mounted. The steps are as follows

• Use the commands in the Command Prompt window to open the terminal shell of the Android phone remotely from the ADB shell;
• Use the SU command in the current shell to get administrator privileges;
• Enter the command in the current shell: Mount-o REMOUNT,RW/. Then using the chmod command should be no problem.

Iv. Extensions and Instructions 4.1 when uploading tcpdump to an Android phone, do you have to choose the/data/local directory

Should not be the only choice, but I have tried to upload to some other directory/sdcard, etc., will encounter more restrictions on permissions. Therefore, for the convenience of consideration, it is recommended to try to fixed to the/data/local directory.

4.2 Shell commands for using the terminal emulator instead of the ADB tool

The terminal emulator is a Linux shell tool on an Android platform, equivalent to a CMD command prompt in Windows, and with it, we can perform command operations on the Linux system on Android.

From the previous description, we can see that the ADB tool in this main play two role, one is based on push, pull command file upload download (local PC and Android phone file exchange) The second is remote access to Android's built-in linux command-line shell based on shell commands (using Android's built-in shell to execute commands or programs such as Su, chmod, tcpdump, etc.). The second feature can be replaced with a terminal emulator . Example 3-1

Figure 3-1 Executing system commands using the terminal emulator

4.3 pull command to replace ADB tool with USB file transfer function

When we ran tcpdump earlier, we used the-w parameter to specify the file save path of the capture result in the/sdcard directory. /sdcard directory corresponds to the internal storage space of the Android phone, that is, our phone plug in the USB cable, select "Open USB storage Device", with Windows Explorer to open the root directory you see, 3-2. So we can use USB to connect the mobile phone, like access to the USB drive generally directly get our previous capture package generated 001.pcap files.

Figure 3-2/sdcard directory corresponds to the root directory of the phone's internal storage space visible on the PC

Description of the meaning of the 3-bit (or 4-bit) octal digits in the 4.4 chmod command

Those octal numbers correspond to the permissions we want to set for the target file/directory. In the case of 3 digits, if we consider the three octal numbers as a,b,c respectively, then A,b,c respectively represents the user (the owner of the file), group (the user belonging to the same group as the owner of the file), and other rights (other users).

Octal a/b/c can be converted to a 3-bit binary number, and the three-digit value from high to low corresponds to whether it has read , write , or execute permissions. The corresponding position 1, then has the corresponding permission, conversely if 0, there is no corresponding permission. For example:

• 777 [111,111,111], all users have read, write, execute permission;
• 700 [111,000,000], only the owner of the file has read, write, execute permissions, other users do not have permission;
• 644 [110,100,100] only the owner of the file has read and write permissions, and the other user only has Read permission.

Back to the previous article, we changed the/data/local permissions when set to 777, is the most simple and convenient, but also the most unsafe of the law. According to the introduction here, you can calculate the permissions of the value of how much is the most scientific.

As for the 4-bit octal number, a special attribute is set with a 1-bit octal number to the leftmost of the 3-bit octal number, and the special bit defaults to 0. Detailed reference: "chmod nnnn file command in Linux system n how is four bit ah not three bit?" 》

4.5 whether the permission value represented by a number in the chmod command can be replaced by a text string

Children's shoes working under Linux should know that the permission values in the chmod command can be used in addition to the 3-bit/4-bit octal number described above, as well as: [Ugoa ...] [[+-=][RWXX] ...] A string representation of the form, as follows: "The following example is taken from the blog post" chmod command Details ", thank the blogger lyg105504 (Lin)"

• Example 1. The following two commands have the same function, which is to assign read, write, execute permissions to the owner of filename, assign read and execute permissions to the host group of filename, and assign execute permissions to other users only

# chmod 751 FileName

# chmod U=rwx,g=rx,o=x FileName

• Example 2. The following three commands have the same effect, and all users are assigned Read permissions only

# chmod 444 FileName

# chmod =r FileName

# chmod A-wx,a+r FileName

Is it possible to use a text string instead of a permission value in the form of an octal number in an Android system? In my experimental results, it is not possible, the system gives the error is: "Bad mode." Perhaps the system itself does not support it.

Go to capture a packet on your Android smartphone