This migration away from direct Web access in favor of dedicated smartphone apps has made for a richer user experience, but it also has made knowing exactly what is going on “under the hood” a lot harder.
Monitoring Android Traffic with Wireshark article from Linux Journal tells how you can use Wireshark to monitor data flow between the app running in smart phone and the cloud service. Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options. Wireshark is originally designed for monitoring TCP/P and Ethernet network traffic, but can be used to also monitor wireless networks and USB traffic.
Monitoring Android Traffic with Wireshark article shows how, with just a little bit of work, you can use Linux to transform almost any laptop into a secret-sharing wireless access point (WAP), connect your phone and view the data flowing to and from the phone with relative ease. All you really need is a laptop running Linux with one wireless and one Ethernet connection. You don’t need to mess around with your existing router (no need to change security settings) and doesn’t require rooting or installing anything unseemly on your phone.
This looks interesting and something I might need some day. I have used Wireshark very much (I have even written my own protocol dissectors to it using Lua), but I have not yet used it to monitor wireless traffic from Android phone.
98 Comments
Tomi Engdahl says:
https://github.com/cy-arduino/log2pcap
Tomi Engdahl says:
Perl script to convert a regular log file as syslog messages in a pcap file for wireshark
https://gist.github.com/mdeweerd/47ea977028259ee9a6b6fd8f2356c65d
Tomi Engdahl says:
https://github.com/tiebingzhang/txt2pcap
Tomi Engdahl says:
https://www.wireshark.org/docs/man-pages/text2pcap.html
Tomi Engdahl says:
https://tshark.dev/edit/text2pcap/#example-1-create-packets-from-scratch-with-text2pcap-dummy-headers
Tomi Engdahl says:
AI packet analyzer
https://lab.dynamite.ai/
https://blog.ipspace.net/2024/03/worth-reading-chatgpt-packet-buddy/
https://github.com/automateyournetwork/packet_buddy
https://www.packetsafari.com/aishark
Tomi Engdahl says:
Effortless PCAP File Analysis in Your Browser
Explore and analyze PCAP files online using A-Packets, designed to provide comprehensive insights into network protocols like IPv4/IPv6, HTTP, Telnet, FTP, DNS, SSDP, and WPA2. This tool allows users to easily view details of network communications and dissect layers of data transmission.
https://apackets.com/
Tomi Engdahl says:
https://linuxexplore.com/2010/05/30/remote-packet-capture-using-wireshark-tcpdump/
https://serverfault.com/questions/38626/how-can-i-read-pcap-files-in-a-friendly-format
Tomi Engdahl says:
https://apackets.com/pcaps
Tomi Engdahl says:
https://www.xda-developers.com/ways-use-port-mapping-on-your-home-network/
Tomi Engdahl says:
https://stackoverflow.com/questions/56458846/wireshark-data-as-ascii
Tomi Engdahl says:
Setting up custom column views within Wireshark.
https://www.youtube.com/watch?v=qamES2CmfSA
Tomi Engdahl says:
Wireshark | 01 | Introduction to Wireshark
https://www.youtube.com/watch?v=28PwBTWLliY&list=PLTS-Jel4E3gX2tNXyXVImwdW2NaV-dR6U
Tomi Engdahl says:
https://medium.com/@viewshola/analyzing-pcap-files-using-wireshark-73fc1bef3c05
Demystifying a PCAP File: The Comprehensive Guide
https://www.netwitness.com/blog/pcap-file-guide/
Tomi Engdahl says:
https://github.com/tinpotnick/packetpeek
Tomi Engdahl says:
https://github.com/caesar0301/awesome-pcaptools
Tomi Engdahl says:
https://github.com/arkime/arkime
https://www.youtube.com/watch?v=4KKET3oJ790
Tomi Engdahl says:
https://lab.dynamite.ai/pcaps
Tomi Engdahl says:
https://carlosmv.hashnode.dev/4-open-source-packet-analyzers-to-explore
Tomi Engdahl says:
https://github.com/tinpotnick/packetpeek
https://github.com/kunklejr/node-pcap-parser
Tomi Engdahl says:
https://stackoverflow.com/questions/45494453/read-pcap-gz-file-in-js
Tomi Engdahl says:
AI packet analysis
https://www.packetsafari.com/aishark
https://app.packetsafari.com/
https://www.b-yond.com/ai-pcap-analyzer
Tomi Engdahl says:
Troubleshooting Packets with AI
https://www.youtube.com/watch?v=kYSUy10Y5U8
Analyzing Packet Captures with AI
https://www.youtube.com/watch?v=ugrfLrL_j0Q
Tomi Engdahl says:
Analyzing DHCP and BGP packet captures with multi AI with Kubernetes
https://www.youtube.com/watch?v=Ft7C10mHB1U
Tomi Engdahl says:
https://www.crowdstrike.com/en-us/cybersecurity-101/next-gen-siem/log-file-formats/
Tomi Engdahl says:
https://graylog.org/post/log-formats-a-complete-guide/
Tomi Engdahl says:
https://www.varonis.com/blog/packet-capture
Tomi Engdahl says:
https://en.wikipedia.org/wiki/Common_Log_Format
Tomi Engdahl says:
https://discoveringsystems.com/how-to-use-chatgpt-to-get-wireshark-filters/
Tomi Engdahl says:
https://www.toolify.ai/gpts/g-VQAlpoZ9n
https://chatgpt.com/g/g-VQAlpoZ9n-wireshark-tcp-dump-analyzer/c/67b884eb-017c-8006-b7a8-aa935ccd5ae3
Convert the file to text (e.g., using tcpdump -r captureWithOnOff.pcap -n -tttt > capture.txt) and upload the text output for analysis.
Tomi Engdahl says:
https://www.tcpdump.org/pcap.html
Tomi Engdahl says:
https://github.com/markofu/pcaps/blob/master/PracticalPacketAnalysis/ppa-capture-files/telnet.pcap
Tomi Engdahl says:
https://web.archive.org/web/20160313101246/http://tech-diy.com/audio_bs.htm
Tomi Engdahl says:
How to Decrypt SSL with Wireshark – HTTPS Decryption Guide
If you’ve ever tried using Wireshark to monitor web traffic, you’ve probably run into a problem – a lot of it is encrypted transmissions. In fact, most sites are using SSL or Transport Layer Security (TLS) encryption to keep their users safe.
https://www.comparitech.com/net-admin/decrypt-ssl-with-wireshark/
Tomi Engdahl says:
tcpdump -xx -n -r {file name}
Convert packet data suitable to CharGPT
Tomi Engdahl says:
https://marketplace.visualstudio.com/items?itemName=sankooc.pcapviewer&ssr=false#overview
pcapviewer is an open-source tool designed to analyze PCAP/PCAPNG (Packet Capture) files. It serves as a packet analysis tool, allowing users to inspect different layers of captured network traffic in detail, from Ethernet to Application layers. Its features are suitable for developers and network engineers who need quick, efficient access to packet-level data without the overhead of full-scale tools like Wireshark.
Tomi Engdahl says:
https://arkime.com/
https://github.com/arkime/arkime
Arkime is a large scale, open-source network analysis and packet capture system.
Tomi Engdahl says:
https://serverfault.com/questions/362529/how-can-i-sniff-the-traffic-of-remote-machine-with-wireshark
On Linux and OSX you can achieve this by running tcpdump over ssh and having wireshark listen on the pipe.
Create a named pipe:
$ mkfifo /tmp/remote
Start wireshark from the command line
$ wireshark -k -i /tmp/remote
Run tcpdump over ssh on your remote machine and redirect the packets to the named pipe:
$ ssh root@firewall “tcpdump -s 0 -U -n -w – -i eth0 not port 22″ > /tmp/remote
Source: http://web.archive.org/web/20160316223401/http://blog.nielshorn.net/2010/02/using-wireshark-with-remote-capturing/
Tomi Engdahl says:
https://serverfault.com/questions/362529/how-can-i-sniff-the-traffic-of-remote-machine-with-wireshark
I use this oneliner as root. Is very useful!
ssh root@sniff_server_ip -p port tcpdump -U -s0 ‘not port 22′ -i eth0 -w – | wireshark -k -i -
The last – before de | is the redirection of that output and is used to standard input by wireshark. The -k option in wireshark means “start inmidiately sniffing
You can use a file descriptor to connect to and receive the packets by ssh and pipe it to wireshark locally:
wireshark -i pcap
and send the data by a separate connection:
local:~$ mkfifo pcap
local:~$ ssh user@host “cat pcap” > pcap
and finally start Wireshark
local:~$ wireshark -k -i pcap
Tomi Engdahl says:
see info on setting up the remote computer, to allow your local machine to connect and capture
http://wiki.wireshark.org/CaptureSetup/WinPcapRemote
In addition to previous answers, version with netcat nc might be useful as well:
Remote host:
mkfifo /tmp/mypcap.fifo
tcpdump -i em0 -s 0 -U -w – > /tmp/mypcap.fifo
nc -l 10000 < /tmp/mypcap.fifo
Local host:
wireshark -ki <(nc 192.168.1.1 10000)
Note about this method: It makes unsecure port open to all interfaces, so make sure to filter incoming connections with firewall rules.
Tomi Engdahl says:
You can use the following tcpdump command to read packets from a PCAP file and print each packet’s summary along with its hex dump, all on a single line per packet:
tcpdump -nn -r -XX -tt | awk ‘{printf “%s “, $0} /0x/{print “”;}’
Tomi Engdahl says:
Simulate TCP Syn Floods with ChatGPT and Wireshark
https://www.youtube.com/watch?v=WnMW8yN3Etc
This video will cover how to analyze a packet capture in Wireshark for signs of a TCP SYN flood. We’ll start by generating a simple Python script to generate TCP connections, and analyze the traffic as the transaction rate is increased. We will also show you how to graph both good and rejected connections over time.
Tomi Engdahl says:
https://github.com/topics/network-traffic-analysis?l=python&o=desc&s=updated
Tomi Engdahl says:
https://freenetworkanalyzer.com/
Tomi Engdahl says:
https://www.opennms.com/meridian/
Tomi Engdahl says:
https://github.com/nb0309/Network-Traffic-Analysis-using-Machine-learning
Tomi Engdahl says:
https://github.com/faucetsdn/NetworkML
Tomi Engdahl says:
https://github.com/GyulyVGC/sniffnet