Login/Register
Monitor network activity in Android Phones
Asked Answered
Solved androidmonitoringwiresharktcpdump
J

11

66

I would like to monitor network traffic of my Android Phone. I was thinking using tcpdump for Android, but I'm not sure if I have to cross-compile for the phone.

Another question is the following, If I want to monitor the trafic data for a certain application, there's any command for doing that?

Jock answered 25/2, 2011 at 19:28 Comment(3)
Shark is no longer maintained and does not work on new versions of Android. Which method are you using now?Advowson
@Arya, try this app play.google.com/store/apps/details?id=app.greyshirts.sslcaptureImpetrate
@MateusGondim Thanks for that. Do you know anything I can use for TLS encryption?Advowson
T
24

TCPDUMP is one of my favourite tools for analyzing network, but if you find difficult to cross-compile tcpdump for android, I'd recomend you to use some applications from the market.

These are the applications I was talking about:

  • Shark: Is small version of wireshark for Android phones). This program will create a *.pcap and you can read the file on PC with wireshark.
  • Shark Reader : This program allows you to read the *.pcap directly in your Android phone.

Shark app works with rooted devices, so if you want to install it, be sure that you have your device already rooted.

Good luck ;)

Travel answered 28/2, 2011 at 14:21 Comment(2)
Please provide direct link to download suggested tools.Reduplicative
What is "Shark"? Searching the web for "Android Shark" just returns a bunch of marine-themed mobile games.Whitson
L
17

If you are doing it from the emulator you can do it like this:

Run emulator -tcpdump emulator.cap -avd my_avd to write all the emulator's traffic to a local file on your PC and then open it in wireshark

There is a similar post that might help HERE

Lichen answered 25/2, 2011 at 19:36 Comment(0)
K
7

Note: tcpdump requires root privileges, so you'll have to root your phone if not done already. Here's an ARM binary of tcpdump (this works for my Samsung Captivate). If you prefer to build your own binary, instructions are here (yes, you'd likely need to cross compile).

Also, check out Shark For Root (an Android packet capture tool based on tcpdump).

I don't believe tcpdump can monitor traffic by specific process ID. The strace method that Chris Stratton refers to seems like more effort than its worth. It would be simpler to monitor specific IPs and ports used by the target process. If that info isn't known, capture all traffic during a period of process activity and then sift through the resulting pcap with Wireshark.

Kaolin answered 28/2, 2011 at 6:42 Comment(0)
C
4

For Android Phones(Without Root):- you can use this application tPacketCapture this will capture the network trafic for your device when you enable the capture. See this url for more details about network sniffing without rooting your device.

Once you have the file which is in .pcap format you can use this file and analyze the traffic using any traffic analyzer like Wireshark.

Also see this post for further ideas on Capturing mobile phone traffic on wireshark

Cerumen answered 23/4, 2015 at 21:28 Comment(0)
B
3

The DDMS tool included in the Android SDK includes a tool for monitoring network traffic. It does not provide the kind of detail you get from tcpdump and similar low level tools, but it is still very useful.

Oficial documentation: http://developer.android.com/tools/debugging/ddms.html#network

Bed answered 4/7, 2013 at 8:26 Comment(0)
C
2

You would need to root the phone and cross compile tcpdump or use someone else's already compiled version.

You might find it easier to do these experiments with the emulator, in which case you could do the monitoring from the hosting pc. If you must use a real device, another option would be to put it on a wifi network hanging off of a secondary interface on a linux box running tcpdump.

I don't know off the top of my head how you would go about filtering by a specific process. One suggestion I found in some quick googling is to use strace on the subject process instead of tcpdump on the system.

Commissary answered 25/2, 2011 at 19:40 Comment(0)
G
2

Without root, you can use debug proxies like Charlesproxy&Co.

Grattan answered 10/11, 2015 at 13:37 Comment(1)
Thats true, I am using Charlesproxy for a long time and this tool is really cool. It provides throttling and SSL decryption (by using custom key) also. But it would be much more nicer to have this tool as a part of Android Studio.Broeder
M
2

Packet Capture is the best tool to track network data on the android. DOesnot need any root access and easy to read and save the calls based on application. Check this out

Mesitylene answered 10/2, 2016 at 9:35 Comment(0)
W
2

Try this application https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture

We can view all networking communications .. even SSL encrypted communications.

Worldweary answered 8/4, 2017 at 17:46 Comment(0)
E
2

Preconditions: adb and wireshark are installed on your computer and you have a rooted android device.

  1. Download tcpdump to ~/Downloads
  2. adb push ~/Downloads/tcpdump /sdcard/
  3. adb shell
  4. su root
  5. mv /sdcard/tcpdump /data/local/
  6. cd /data/local/
  7. chmod +x tcpdump
  8. ./tcpdump -vv -i any -s 0 -w /sdcard/dump.pcap
  9. Ctrl+C once you've captured enough data.
  10. exit
  11. exit
  12. adb pull /sdcard/dump.pcap ~/Downloads/

Now you can open the pcap file using Wireshark.

As for your question about monitoring specific processes, find the bundle id of your app, let's call it com.android.myapp

  1. ps | grep com.android.myapp
  2. copy the first number you see from the output. Let's call it 1234. If you see no output, you need to start the app. If you still don't see the app via ps try using top.
  3. Download strace to ~/Downloads and put into /data/local using the same way you did for tcpdump above.
  4. cd /data/local
  5. ./strace -p 1234 -f -e trace=network -o /sdcard/strace.txt

Now you can look at strace.txt for ip addresses, and filter your wireshark log for those IPs.

Erg answered 18/1, 2019 at 17:57 Comment(2)
Note on some phones, you'll need to do adb root instead of adb shell su rootErg
Note if you have adb root on a phone, you must adb push ~/Downloads/tcpdump /data/localErg
S
0

The common approach is to call "cat /proc/net/netstat" as described here:

Android network stats

Scilicet answered 25/2, 2011 at 20:28 Comment(2)
That will provide a list of connections, but not permit monitoring the data itself. You may also miss channels without stateful connections unless you catch them at the right instant. Also using exec on cat is totally unnecessary - just read the /proc/net/netstat "file" in java.Commissary
I never tried it so wouldn't know for sure. First answer claims to work #3395011Scilicet

© 2022 - 2024 — McMap. All rights reserved.