It can also use dumpcap or tshark, which are Wireshark-specific tools, and would be significantly more performant, but there is no build for them on OpenWRT so that does not help either. With this interface, Wireshark effectively opens a session via SSH to the router, and runs tcpdump on it. In Gentoo these require the sshdump and libssh USE flags enabled. I opted instead to use another tool that is available in extcap: ssh-based packet captures. This is relativel expensive, and no reliable over WiFi networks anyway, beside increasing congestion on an already busy network.
#Wireshark for android mac#
Googling around would suggest setting up a tee: tell iptables to forward a copy of every single packet coming from or to the phone to another mac address. Which means I have som leeway on the network access already. On the bright side, my router is currently running OpenWRT (with all the warts it has). But this is not easy particularly on a laptop with already-oversubscribed USB ports. I have not dug into the phone much more because I was already kind of tired of having to figure out pieces of the puzzle that are not obvious at all, so I looked for alternative approaches.ĭepending on the working system you use to set the capture up, you may be able to set up your computer to be an access point, and connect the phone to it. No error message and not even a help output to figure out if you need to enable somethihng. Wireshark calls into extcap, that calls into androiddump, that calls into adb, that calls into tcpdump on the device.Īnd here is the problem: my device (a Sony Xperia XA from 3 Ireland) has indeed a tcpdump command, but the only thing it does is returning 1 as return value, and that’s it. The explanation is kind of simple: this set of interfaces is effetively just a matrioska of interfaces. Googling for a good half hour didn’t bring me anywhere, I even started strace‘ing the process (to the point that Wireshark crashed in a few situations!) until I finally managed to figure out the right -incantation- invokation of the androiddump tool… that had no more information even in verbose mode, but at least it told me what it was trying to do. This kept failing with the following error:Įrror by extcap pipe: ERROR: Broken socket connection.Īnd no further debugging information available. There are multiple interfaces that androiddump can capture from that does include the logcat output, that makes it very useful when you’re debugging an application in realtime, but what I cared about was sniffing the packets from the interfaces on the device itself. As I’ll show later, this is not the only useful tool using the interface. I like this idea among other things because it splits the displaying/parsing from the capturing. This uses the extcap interface to “fetch” the packets to display from a remote source. Rick suggested to look into the androiddump tool that comes with Wireshark on Gentoo that requires enabling the right USE flag. So make sure you get your Wireshark installed, and make sure you never run it as root for your own safety.
#Wireshark for android android#
What I wanted to write about is some notes about my experience, if nothing else because it took me a while to get all the fragments ready, and I could not find a single entry anywhere that would explain what the error message I was receiving was about.įirst of all, this is about the Wireshark tool, and Android phones, but at the end of the day you’ll find something that would work almost universally with a bunch of caveats. There are a few other things that can go wrong, they can for instance not validate the certificate provided over TLS, effectively allowing MITM attacks to succeed, but that’s a different story altogether, so I won’t go there for now. This was important because if it didn’t, it meant it was sending medical information over plaintext. In my review of the iHealth glucometer I pointed out that I did indeed check if the app talked with the remote service over TLS or not.
0 kommentar(er)
