This migration away from direct Web access in favor of dedicated smartphone apps has made for a richer user experience, but it also has made knowing exactly what is going on “under the hood” a lot harder.
Monitoring Android Traffic with Wireshark article from Linux Journal tells how you can use Wireshark to monitor data flow between the app running in smart phone and the cloud service. Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options. Wireshark is originally designed for monitoring TCP/P and Ethernet network traffic, but can be used to also monitor wireless networks and USB traffic.
Monitoring Android Traffic with Wireshark article shows how, with just a little bit of work, you can use Linux to transform almost any laptop into a secret-sharing wireless access point (WAP), connect your phone and view the data flowing to and from the phone with relative ease. All you really need is a laptop running Linux with one wireless and one Ethernet connection. You don’t need to mess around with your existing router (no need to change security settings) and doesn’t require rooting or installing anything unseemly on your phone.
This looks interesting and something I might need some day. I have used Wireshark very much (I have even written my own protocol dissectors to it using Lua), but I have not yet used it to monitor wireless traffic from Android phone.
47 Comments
Tomi Engdahl says:
ESP to Wireshark
http://hackaday.com/2017/07/06/esp-to-wireshark/
Everyone’s favorite packet sniffing tool, Wireshark, has been around for almost two decades now. It’s one of the most popular network analysis tools available, partially due to it being free and open source. Its popularity guaranteed that it would eventually be paired with the ESP32/8266, the rising star of the wireless hardware world, and [spacehuhn] has finally brought these two tools together to sniff WiFi packets.
The library that [spacehuhn] created uses the ESP chip to save Pcap files (the default Wireshark filetype) onto an SD card or send the data over a serial connection. The program runs once every 30 seconds, creating a new Pcap file each time.
A library for creating and sending .pcap files for Wireshark and other programms.
https://github.com/spacehuhn/ArduinoPcap
Create and send .pcap files using ESP8266/ESP32 and Arduino.
Tomi Engdahl says:
https://wiki.wireshark.org/SampleCaptures
Tomi Engdahl says:
Intercept Images from a Security Camera Using Wireshark [Tutorial]
https://www.youtube.com/watch?v=va1wUSPGgSU
How to Use Wireshark to Hijack Pictures from Wi-Fi Cameras
Tomi Engdahl says:
Tutorial: Ripping MP3 streams from websites using Wireshark
https://www.youtube.com/watch?v=OPa7F9H8A6Y
Tomi Engdahl says:
https://www.wireshark.org/docs/relnotes/wireshark-3.0.5.html
Tomi Engdahl says:
https://www.wireshark.org/docs/relnotes/wireshark-3.0.7.html
Tomi Engdahl says:
https://www.wireshark.org/docs/relnotes/wireshark-3.2.0.html
Tomi Engdahl says:
Wireshark Tutorial: Examining Ursnif Infections
https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/
Tomi Engdahl says:
How to Capture Packets in Wireshark
https://www.techrhn.com/how-to-capture-packets-in-wireshark/
Tomi Engdahl says:
Network Engineer Tools – Wireshark and Cloudshark
https://www.youtube.com/watch?v=17KIrNDVobE
Tomi Engdahl says:
https://www.wisdomjobs.com/e-university/wireshark-interview-questions.html
Tomi Engdahl says:
Use Text2pcap tool to convert then you can open pcap in Wireshark or any supported tools
Text2pcap supports generation of dummy L2-4 headers (ethernet, ip, tcp/udp/sctp). See if that helps, once converted you can load pcap in any netmon tools
Check below link for reference
https://www.wireshark.org/docs/man-pages/text2pcap.html
Tomi Engdahl says:
Lateral Movement in Wireshark – Nmap scan
https://m.youtube.com/watch?v=-I3hePwDzjg&feature=youtu.be
Tomi Engdahl says:
https://wiki.wireshark.org/SampleCaptures
https://www.malware-traffic-analysis.net/
Tomi Engdahl says:
https://medium.com/@schirrmacher/analyzing-whatsapp-calls-176a9e776213
Tomi Engdahl says:
https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/
Tomi Engdahl says:
GeoIP Mapping in Wireshark
https://www.chappell-university.com/post/geoip-mapping-in-wireshark
Tomi Engdahl says:
https://egorovandreyrm.com/pcap-remote-tutorial/
https://github.com/egorovandreyrm/pcap-remote
Tomi Engdahl says:
Log iOS network traffic without a proxy
https://github.com/evilpenguin/NetworkSniffer
Tomi Engdahl says:
Mordor PCAPs — Part 1: Capturing Network Packets from Windows Endpoints with Network Shell (Netsh) ⚔️ and Azure Network Watcher
https://medium.com/threat-hunters-forge/mordor-pcaps-part-1-capturing-network-packets-from-windows-endpoints-with-network-shell-e117b84ec971
Tomi Engdahl says:
New to Wireshark and attempting to snoop USB
https://ask.wireshark.org/question/15383/new-to-wireshark-and-attempting-to-snoop-usb/
No USB interfaces after Wireshark update
https://osqa-ask.wireshark.org/questions/62981/no-usb-interfaces-after-wireshark-update/
The point is that the USBPcap installer has to be run after WIreshark has been installed so that it could place the USBPcapCMD.exe to the proper directory in the Wireshark directory tree, but for some reason it cannot run if you do not manually uninstall the previous version beforehand.
What you can do if you don’t want to uninstall nad reinstall everything is to manually copy USBPcapCMD.exe from C:\Program Files\USBPcap to C:\Program Files\Wireshark\Extcap.
Tomi Engdahl says:
https://nmap.org/npcap/
Tomi Engdahl says:
USBPcap – USB Packet capture for Windows
USBPcap is an open-source USB sniffer for Windows.
https://desowin.org/usbpcap/
https://desowin.org/usbpcap/thankyou.html?file=1.5.4.0/USBPcapSetup-1.5.4.0.exe
Digitally signed installer for Windows 7, 8 and 10, both x86 and x64 is available at Github. After installation you must restart your computer.
USBPcap support was commited in revision 48847 (Wireshark #8503). The first official Wireshark version that supports USBPcap is 1.10.0rc1.
Tomi Engdahl says:
https://hackersonlineclub.com/wireshark-commands-cheatsheet/
Tomi Engdahl says:
https://rad-infosec.ca/f/malware-traffic-analysis-with-wireshark
Tomi Engdahl says:
Another new video from SharkFest’21 Virtual EUROPE has just been posted, with Rolf Leutert speaking on IPv6 with Wireshark.
For more live Wireshark classes like this, sign up for SharkFest’21 Virtual US, beginning on September 12th!
https://sharkfestus.wireshark.org
SF21VEU – 17 Discovering IPv6 with Wireshark (Rolf Leutert)
https://m.youtube.com/watch?v=B8bNidd7Kdc
Tomi Engdahl says:
https://www.profitap.com/profishark-network-taps/
Tomi Engdahl says:
how Hackers SNiFF (capture) network traffic // MiTM attack
https://www.youtube.com/watch?v=-rSqbgI7oZM
Tomi Engdahl says:
https://www.wireshark.org/tools/wpa-psk.html
Tomi Engdahl says:
03 Visualizing TLS Encryption – making sense of TLS in Wireshark
https://m.youtube.com/watch?v=nmOGc44w96E&feature=youtu.be
Tomi Engdahl says:
https://www.facebook.com/groups/wireshark/permalink/5542311579119125/
What I did to make sure wireshark can give me good information such as GPS coordinates.
Download Geolite2 databases from maxmind (because they are opensource).
put them in a directory you want
point wireshark to the databases. then see the results of each packet on the internet protocol.
Tomi Engdahl says:
Next up in our video series from SharkFest’21 Virtual US: Mark Stout talks about using Wireshark with LTE and 5G networks.
https://m.youtube.com/watch?v=uNmcGNzJ2xc&feature=youtu.be
Tomi Engdahl says:
https://www.trickster.dev/post/decrypting-your-own-https-traffic-with-wireshark/
Tomi Engdahl says:
Wireshark HTTPS Decryption
https://hackaday.com/2022/03/22/wireshark-https-decryption/
Tomi Engdahl says:
PCAP Capture File Format
https://www.rfc-editor.org/rfc/internet-drafts/draft-ietf-opsawg-pcap-00.html
Tomi Engdahl says:
https://hackersonlineclub.com/wireshark-3-6-7-releases/
Tomi Engdahl says:
What’s That Scope Trace Saying? UPD And Wireshark
https://hackaday.com/2022/08/14/whats-that-scope-trace-saying-upd-and-wireshark/
[Matt Keeter], like many of us, has a lot of network-connected devices and an oscilloscope. He decided he wanted to look into what was on the network. While most of us might reach for Wireshark, he started at the PCB level. In particular, he had — or, rather, had someone — solder an active differential probe soldered into an Ethernet switch. The scope attached is a Textronix, but it didn’t have the analyzer to read network data. However, he was able to capture 190+ MB of data and wrote a simple parser to analyze the network data pulled from the switch.
The point of probing is between a network switch and the PHY that expands one encoded channel into four physical connections using QSGMII (quad serial gigabit media-independent interface). As the name implies, this jams four SGMII channels onto one pair.
From Oscilloscope to Wireshark: A UDP Story
https://www.mattkeeter.com/blog/2022-08-11-udp/
Like many of you, I’ve got hardware on my desk that’s sending UDP packets, and the time has come to take a closer look at them.
Most “low-level” networking tutorials will bottom out somewhere at “use tcpdump to see raw packets”. We’ll be starting a bit lower in the stack; specifically, here
This is a high-speed active differential probe soldered to an Oxide Computer Company rack switch. We’re going all the way down to the metal.
The oscilloscope doesn’t have a built-in QSGMII analyzer (and we’ll want to do fairly sophisticated processing of the data), so I wanted to export waveform data to my computer.
How much data should I capture? Analog waveforms can easily add up to multiple gigabytes, so I’d like to capture a small amount while still catching a packet or two.
I knew that a device on the network was emitting about 30K UDP packets per second, or one packet every 33 µs. I configured the oscilloscope to collect 100M samples at 1 TSPS (tera-sample per second, 1012), which multiplies out to 100 µs of data; this means we should catch 1-3 UDP packets.
After hunting down a USB key, I ended up with a 191M .wfm file to process.
We know our sample rate (1 TPSP) and the nominal QSGMII bit rate (5 GHz); this means that a single-bit pulse (e.g. 010) should be a 200-sample pulse. In turn, we expect a comma character to be roughly 1000 samples long (200 × 5).
The oscilloscope and switch may not have exactly the same clock rate. If we go a long time between comma characters, we may end up sampling at the wrong position in the waveform!
It turns out that we need to synchronize in two places:
Comma characters tell us when a new code-group starts
Bit transitions help us keep the clock in sync
Storing and analyzing packets
Decoding ethernet frames with our eyes gets old fast.
Luckily, there are lots of good tools for working with frame data. Using the pcap library, we can write out a .pcap file to be analyzed with Wireshark.
Here’s our full analyzer, going from .wfm to four .pcap files
The whole pipeline – from loading the .wfm to writing the .pcap file – runs in about 410 milliseconds on my computer. Considering I put no effort into optimization, this isn’t too bad!
Using tshark, we can confirm that these are UDP packets:
Tomi Engdahl says:
Bits And Bytes
Wireshark 4.00 has been released. There’s a handful of new protocols supported, and the normal library bumps you would expect. Some features see a speed improvement, and the interfaces have gotten a bit of spit’n’polish.
https://www.wireshark.org/docs/relnotes/wireshark-4.0.0.html
What is Wireshark?
Wireshark is the world’s most popular network protocol analyzer. It is used for troubleshooting, analysis, development and education.
What’s New
We no longer ship official 32-bit Windows packages starting with this release. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779
The display filter syntax is more powerful with many new extensions. See below for details.
The Conversation and Endpoint dialogs have been redesigned. See below for details.
The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.
Hex dump imports from Wireshark and from text2pcap have been improved. See below for details.
Speed when using MaxMind geolocation has been greatly improved.
The tools and libraries required to build Wireshark have changed. See “Other Development Changes” below for more details.
Many other improvements have been made. See the “New and Updated Features” section below for more details.
Tomi Engdahl says:
Wireshark 4.0 Released With Improved Hex Dump Imports
https://hackersonlineclub.com/wireshark-4-released/
Wireshark 4.0.0 Released – A Network Security Framework
Wireshark is an free and open-source network analyzer. It is using for network troubleshooting, analysis, and penetration testing.
In this version Wireshark no longer ship official 32-bit Windows packages starting with this release. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release.
Tomi Engdahl says:
https://hackersonlineclub.com/how-to-capture-pcap-logs-with-wireshark/
Tomi Engdahl says:
I created a bash script called Purple Shark to automatically read through PCAP files and extract network traffic information. Check out this video if you’re intereste
[Blue Team Cyber Security]
https://youtu.be/lnBnNEV4Jtg
Tomi Engdahl says:
Decades-old Packet Analyzer Resurfaces As An Open-Source Foundation
https://analyticsindiamag.com/decades-old-packet-analyzer-resurfaces-as-an-open-source-foundation/
Wireshark can be used to identify network problems such as slow response times, dropped packets and connectivity issues.
Tomi Engdahl says:
Sniffnet is a cross-platform Rust-based network monitoring tool.
https://news.itsfoss.com/sniffnet/
Tomi Engdahl says:
Cheap USB Sniffer Has Wireshark Interface
https://hackaday.com/2023/06/13/cheap-usb-sniffer-has-wireshark-interface/
If you’ve done any development on USB hardware, you’ve probably wished you could peek at the bits and bytes as they pass through the data lines. Sometimes, it’s the only way to properly understand what’s going on. [ataradov]’s USB sniffer is built to do just that.
To sniff high-speed USB communications, the device relies on a Lattice LCMXO2 FPGA and a Cypress CY7C68013A microcontroller, paired with a Microchip USB3343 USB PHY. This setup is capable of operating at data rates of up to 40-50 MB/s, more than enough to debug the vast majority of USB peripherals on the market.
If you need this tool, spinning up your own is straightforward. Gerber files are available and the required components can be bought off the shelf. Once assembled, you can program the chips via USB, with no external hardware programmer required.
https://github.com/ataradov/usb-sniffer
Tomi Engdahl says:
https://hackersonlineclub.com/how-to-analyse-and-capture-the-packets-in-wireshark/
Tomi Engdahl says:
Old Ethernet HUB is sometimes useful for network data sniffing with Wireshark (just plug between two communicating devices and plug PC with Wireshark to third port). Sniffing can also be done with a modern managed Ethernet switch that has monitoring port).
HUBs are useful also if you need to test that your embedded device works OK in all Ethernet modes (those half duplex 10M and 100M modes).
Tomi Engdahl says:
https://cybersecuritynews.com/wireshark-4-4-0-released/