Tcpdump for iOS and Android Network Packet Capture tutorial

Tcpdump for iOS and Android Network Packet Capture tutorial

Today, almost all mobile applications interact with servers through network requests. packet capture is an important skill for programmers to diagnose network-related bugs. There are many methods to capture packets: for http and https, you can use Charles to set the proxy. For more extensive protocols, you can use tcpdump or wireshark. Wireshark provides a GUI for in-depth and comprehensive data analysis. Tcpdump outputs the original package content. The advantage is that it is fast and efficient. Previously I wrote a simple tutorial on cracking red packet images, which uses tcpdump for operations. This article mainly introduces the basic usage of tcpdump. The goal is to master and use tcpdump to solve Network-related problems. The premise is to have a preliminary understanding of TCP/IP.

1. Start tcpdump 1.1 start tcpdump on iOS

It is easier to start tcpdump on iOS devices. Apple has a program named rvictrl on mac. You can create a virtual network card through the udid of the iOS device, and then listen to all network traffic on the device through the Virtual Network Card. The procedure is as follows:

Obtain the device udid from itunes

Open the terminal and create a virtual network card

Enter rvictl-s udid in the terminal to create the virtual network card.

Start tcpdump to monitor traffic

Enter sudo tcpdump-I rvi0-AAl on the terminal and start tcpdump monitoring.

 

2.1 start tcpdump on Android

Android devices cannot use rvictl to create virtual NICs. However, they can upload executable tcpdump files to android devices and remotely log on to android devices using mac to run tcpdump, the premise is that this android device must have been root. The procedure is as follows:

Download tcpdump for android

Download the tcpdump version specially compiled for android from this link.

Upload tcpdump to android devices through adb

Use adb push to upload the tcpdump file to a specific directory. Here we select the/sdcard/data directory.

Run tcpdump on android devices

Log on to the device using the adb shell, run tcpdump, and then run./tcpdump In the last step.

2. Analyze tcpdump output

After successfully running tcpdump in the preceding steps, you can analyze the output content of the network package. The output of the iOS and Android devices is the same. Let's first parse several basic formats:

The part in the red box in the figure is a detailed record of an IP package, and there are several similar records. Here we will analyze the meaning of each field in the first article.

14:37:41. 615018The time when the packet is received.

17.143.164.37.5223Is the IP address and port number of the sender (5223 is the port number ).

10.29.44.140.58036It is the IP address and port number of my iphone.

Flags [P.]It is the P-bit of the 14th bytes of the tcp packet header. The several flags contained in this byte are very important. I will explain them in detail later. Here, the P-bit indicates that the receiver needs to immediately push the package to the application layer.

Seq :54Seq Number of the tcp packet. 1 indicates the start value and 54 indicates the end value. Tcp is considered a stream because each byte carried by the tcp packet has a number (seq ). Indicates that a total of 54 bytes are accepted, one of which is used in the three-way handshake phase, so the total length of the sent message is 53 bytes.

Ack101Ack 101 indicates that the byte with seq 100 has been confirmed to be received, and the next expected seq number starts from 101.

Win 255Win indicates the number of bytes that the tcp packet sender can accept as the receiver. Here, win 255 indicates that the host whose ip address is 17.143.164.37 can accept 255 bytes.

Options [nop, nop,…]Options […] Indicates the options area of the tcp package. nop is short for no opertion and has no practical use. It is mainly used for padding, because the options region must be a multiple of 4 bytes according to the protocol.

Options [... TS val 2381386761]The ts val value is the timestamp of the tcp packet, but this timestamp has nothing to do with the system time of the device. It is a random value at the beginning, and will grow with the system clock. This timestamp is mainly used to confirm the packet sequence after the seq serial number starts from 0 again.

Options [... Ecr 427050796]The ts ecr value is mainly used to calculate RTT. For example, if A sends A tcp packet to B, A will carry TS val in the packet, and B will return the value as is in the ack packet after receiving the packet, after receiving the ack packet from B, A can calculate the RTT based on the local clock. This value is only valid in the ack package. The ecr value of a non-ack package is 0.

Length 53This length is the data size transmitted from the application layer, excluding the tcp header. This value is consistent with the seq analyzed above.

The above is a basic tcp packet structure. You can understand the other packages according to the above analysis. Http is the most common protocol for applications, but how can an http request be divided into packages by TCP/IP, then how to ensure stable and reliable transmission on the network requires a basic impression. Next let's take a look at more tcpdump functions. These functions are based on the understanding of the TCP/IP protocol. If you do not understand them, we recommend that you use google's related technical concepts.

 

3. tcpdump Knowledge Development

 

Before going into tcpdump, paste a tcp header Format diagram, which is often new.

3.1 TCP Flags (tcp header 14th bytes)

Let's take a closer look at the above-mentioned flags concept. flags are located at the 14th bytes of the tcp header and contain 8 bits, that is, CWR to FIN. These eight bits have specific functional purposes: CWR, ECE, URG, ACK, PSH, RST, SYN, and FIN.

CWR, ECEThe two flags are used in combination with congestion control, which generally has little to do with the application layer. When the sender's packet ECE (ECN-Echo) is 0, the congestion is displayed. If the receiver's returned packet CWR (Congestion Window forced CED) is 1, the sender receives and processes the congestion information. We will focus on the other six flags.

URGURG indicates Urgent, which indicates that the packet has a high priority and needs to be transmitted and processed by the other party first. For example, when we usually use terminal, ctrl + c is often used to end a task. The Network Packet Generated by this command requires urgent.

ACKThis is the familiar ack packet used to tell the other party that the previous packet has been successfully received. However, generally, an ack packet is not sent for ack separately. The ack bit is set in the next packet to be sent. This is a tcp optimization mechanism. For details, see delayed ack.

PSHPush we have explained above that the receiving side of the P-Bit flag package needs to be immediately handed over to the application layer for processing. Generally, we can see that the P-bit is set in the last packet of the http request.

RSTThe Reset bit indicates that the packet sender is about to disconnect the current connection. At the end of the http request, you can see that an RST bit is set for a data packet.

SYNThe SYN bit will be set when sending the connection establishment request. The three handshakes we are familiar with are the combination of syn and ack: syn-> syn + ack-> ack.

FINWhen the Finish bit is set, it indicates that the sender has no more data to send, and the connection will be closed one way later. Generally, the receiver will return an ack packet. The receiver can send a FIN to close the connection in two directions.

The first letters of the eight flags are: c e u a p r s f. At first glance, it was hard to remember. I had a brain hole and combined them into supr cafe. Of course, if super was missing an e, I could just try again. When using tcpdump, we often see these flags, [S], [P], [R], [F], [.]. Others are easy to understand. [.] is a placeholder. This placeholder is displayed when no other flag is set. It generally indicates ack.

3.2 tcpdump more usage parameters

In this section, we will look at some common command parameters of tcpdump. The tcpdump command at the beginning of this article is as follows: sudo tcpdump-I rvi0-AAl. -I rvi0-AAl all belong to the parameter section. Common examples include:

• -I: The name of the ENI to be monitored.-I rvi0 listens to the virtual ENI. When not set, all network card Traffic is monitored by default.
• -A: uses an ASCII code to display the intercepted traffic. It is generally used for http requests on webpages or apps. -AA can get more information.
• -X: Uses ASCII code and hex to display the package content, which is similar to-A above. -XX can display more information (such as the link layer header ).
• -N: hostname is not parsed. tcpdump takes precedence over the host name. -Nn: the host name and port name are not displayed (for example, port 443 is displayed as https ).
• -S: the length of the captured packet in bytes. By default, tcpdump shows the length of 96 bytes. To obtain the complete length, use-s0 or-s1600.
• -C: truncate a specified number of packages and exit.
• -V: displays more useful information. You can also use-vv-vvv to increase the amount of information displayed.
• Src: Specifies the sender address of the IP package.
• Dst: Specifies the recipient address of the IP package.
• Port, indicating the port number of the tcp packet sender or receiver.
• And, or, not, operation method, literal meaning.

The above are commonly used by me. For more parameters, refer to this detailed document. If you are interested, analyze the following examples and exercises:

Tcpdump 'tcp [13] & 16! = 0'

Tcpdump src port 80 and tcp

Tcpdump-vv src baidu and not dst port 23

Tcpdump-nnvvS src 192.0.1.100 and dst port 443

 

4. Use tcpdump to analyze the complete http Request

 

After talking about this, let's take a look at a complete http request process. The traffic below is an https request sent after I listen to the App thumb ups. I have analyzed the IP address of the server before. The tcpdump command is:

Sudo tcpdump-I rvi0-AAl src 60.28.215.123 or dst 60.28.215.123

The preceding six packages are listed in the figure. 10.29.44.240 is the IP address of my iphone, 60.28.215.123 is the IP address of zhihu server, and the packet sent by the iphone is in the red box, the packet sent by the server is in the white box. Packet1 is the first syn package for iphone three-way handshake, packet2 is the server ack + syn package, and packet3 is the iphone ack package. After the three packages, the tcp three-way handshake is completed.

Packet4 is an http request sent by the iphone. The length is only 240 bytes, so a packet is sent. Of course, the P-bit of flags is also set, and the request needs to be processed by the application layer immediately. Spdy is displayed in the package. Click like.

Packet5 is the packet that the server ack has just received. Its length is 0, so this is only an ack packet.

Packet6 is the server's response to http, 1388 bytes. Both packet5 and packet6 have ack packages with seq 241. Of course, this is to increase the success rate of ack.

There are several packages in the middle, which are not analyzed carefully. Finally, let's look at the last packages completed by the request:

The last two packages are relatively simple. When the iphone sends a FIN + ACK package, the connection is disconnected. After the server directly sends an RST package, the connection is also disconnected.

This tutorial is over now. We recommend that you use google for parameters or keywords that you do not understand. It is best to systematically learn the TCP/IP protocol ??.