Monitoring Android Traffic with Wireshark

This migration away from direct Web access in favor of dedicated smartphone apps has made for a richer user experience, but it also has made knowing exactly what is going on “under the hood” a lot harder.

Monitoring Android Traffic with Wireshark article from Linux Journal tells how you can use Wireshark to monitor data flow between the app running in smart phone and the cloud service. Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options. Wireshark is originally designed for monitoring TCP/P and Ethernet network traffic, but can be used to also monitor wireless networks and USB traffic.

Monitoring Android Traffic with Wireshark article shows how, with just a little bit of work, you can use Linux to transform almost any laptop into a secret-sharing wireless access point (WAP), connect your phone and view the data flowing to and from the phone with relative ease. All you really need is a laptop running Linux with one wireless and one Ethernet connection. You don’t need to mess around with your existing router (no need to change security settings) and doesn’t require rooting or installing anything unseemly on your phone.

This looks interesting and something I might need some day. I have used Wireshark very much (I have even written my own protocol dissectors to it using Lua), but I have not yet used it to monitor wireless traffic from Android phone.

47 Comments

  1. Tomi Engdahl says:

    ESP to Wireshark
    http://hackaday.com/2017/07/06/esp-to-wireshark/

    Everyone’s favorite packet sniffing tool, Wireshark, has been around for almost two decades now. It’s one of the most popular network analysis tools available, partially due to it being free and open source. Its popularity guaranteed that it would eventually be paired with the ESP32/8266, the rising star of the wireless hardware world, and [spacehuhn] has finally brought these two tools together to sniff WiFi packets.

    The library that [spacehuhn] created uses the ESP chip to save Pcap files (the default Wireshark filetype) onto an SD card or send the data over a serial connection. The program runs once every 30 seconds, creating a new Pcap file each time.

    A library for creating and sending .pcap files for Wireshark and other programms.
    https://github.com/spacehuhn/ArduinoPcap

    Create and send .pcap files using ESP8266/ESP32 and Arduino.

    Reply
  2. Tomi Engdahl says:

    Intercept Images from a Security Camera Using Wireshark [Tutorial]
    https://www.youtube.com/watch?v=va1wUSPGgSU

    How to Use Wireshark to Hijack Pictures from Wi-Fi Cameras

    Reply
  3. Tomi Engdahl says:

    Tutorial: Ripping MP3 streams from websites using Wireshark
    https://www.youtube.com/watch?v=OPa7F9H8A6Y

    Reply
  4. Tomi Engdahl says:

    Network Engineer Tools – Wireshark and Cloudshark
    https://www.youtube.com/watch?v=17KIrNDVobE

    Reply
  5. Tomi Engdahl says:

    Use Text2pcap tool to convert then you can open pcap in Wireshark or any supported tools

    Text2pcap supports generation of dummy L2-4 headers (ethernet, ip, tcp/udp/sctp). See if that helps, once converted you can load pcap in any netmon tools
    Check below link for reference
    https://www.wireshark.org/docs/man-pages/text2pcap.html

    Reply
  6. Tomi Engdahl says:

    Mordor PCAPs — Part 1: Capturing Network Packets from Windows Endpoints with Network Shell (Netsh) ⚔️ and Azure Network Watcher
    https://medium.com/threat-hunters-forge/mordor-pcaps-part-1-capturing-network-packets-from-windows-endpoints-with-network-shell-e117b84ec971

    Reply
  7. Tomi Engdahl says:

    New to Wireshark and attempting to snoop USB
    https://ask.wireshark.org/question/15383/new-to-wireshark-and-attempting-to-snoop-usb/

    No USB interfaces after Wireshark update
    https://osqa-ask.wireshark.org/questions/62981/no-usb-interfaces-after-wireshark-update/

    The point is that the USBPcap installer has to be run after WIreshark has been installed so that it could place the USBPcapCMD.exe to the proper directory in the Wireshark directory tree, but for some reason it cannot run if you do not manually uninstall the previous version beforehand.

    What you can do if you don’t want to uninstall nad reinstall everything is to manually copy USBPcapCMD.exe from C:\Program Files\USBPcap to C:\Program Files\Wireshark\Extcap.

    Reply
  8. Tomi Engdahl says:

    USBPcap – USB Packet capture for Windows
    USBPcap is an open-source USB sniffer for Windows.
    https://desowin.org/usbpcap/
    https://desowin.org/usbpcap/thankyou.html?file=1.5.4.0/USBPcapSetup-1.5.4.0.exe

    Digitally signed installer for Windows 7, 8 and 10, both x86 and x64 is available at Github. After installation you must restart your computer.

    USBPcap support was commited in revision 48847 (Wireshark #8503). The first official Wireshark version that supports USBPcap is 1.10.0rc1.

    Reply
  9. Tomi Engdahl says:

    Another new video from SharkFest’21 Virtual EUROPE has just been posted, with Rolf Leutert speaking on IPv6 with Wireshark.
    For more live Wireshark classes like this, sign up for SharkFest’21 Virtual US, beginning on September 12th!
    https://sharkfestus.wireshark.org

    SF21VEU – 17 Discovering IPv6 with Wireshark (Rolf Leutert)
    https://m.youtube.com/watch?v=B8bNidd7Kdc

    Reply
  10. Tomi Engdahl says:

    how Hackers SNiFF (capture) network traffic // MiTM attack
    https://www.youtube.com/watch?v=-rSqbgI7oZM

    Reply
  11. Tomi Engdahl says:

    03 Visualizing TLS Encryption – making sense of TLS in Wireshark
    https://m.youtube.com/watch?v=nmOGc44w96E&feature=youtu.be

    Reply
  12. Tomi Engdahl says:

    https://www.facebook.com/groups/wireshark/permalink/5542311579119125/

    What I did to make sure wireshark can give me good information such as GPS coordinates.
    Download Geolite2 databases from maxmind (because they are opensource).
    put them in a directory you want
    point wireshark to the databases. then see the results of each packet on the internet protocol.

    Reply
  13. Tomi Engdahl says:

    Next up in our video series from SharkFest’21 Virtual US: Mark Stout talks about using Wireshark with LTE and 5G networks.
    https://m.youtube.com/watch?v=uNmcGNzJ2xc&feature=youtu.be

    Reply
  14. Tomi Engdahl says:

    What’s That Scope Trace Saying? UPD And Wireshark
    https://hackaday.com/2022/08/14/whats-that-scope-trace-saying-upd-and-wireshark/

    [Matt Keeter], like many of us, has a lot of network-connected devices and an oscilloscope. He decided he wanted to look into what was on the network. While most of us might reach for Wireshark, he started at the PCB level. In particular, he had — or, rather, had someone — solder an active differential probe soldered into an Ethernet switch. The scope attached is a Textronix, but it didn’t have the analyzer to read network data. However, he was able to capture 190+ MB of data and wrote a simple parser to analyze the network data pulled from the switch.

    The point of probing is between a network switch and the PHY that expands one encoded channel into four physical connections using QSGMII (quad serial gigabit media-independent interface). As the name implies, this jams four SGMII channels onto one pair.

    From Oscilloscope to Wireshark: A UDP Story
    https://www.mattkeeter.com/blog/2022-08-11-udp/

    Like many of you, I’ve got hardware on my desk that’s sending UDP packets, and the time has come to take a closer look at them.

    Most “low-level” networking tutorials will bottom out somewhere at “use tcpdump to see raw packets”. We’ll be starting a bit lower in the stack; specifically, here

    This is a high-speed active differential probe soldered to an Oxide Computer Company rack switch. We’re going all the way down to the metal.

    The oscilloscope doesn’t have a built-in QSGMII analyzer (and we’ll want to do fairly sophisticated processing of the data), so I wanted to export waveform data to my computer.

    How much data should I capture? Analog waveforms can easily add up to multiple gigabytes, so I’d like to capture a small amount while still catching a packet or two.

    I knew that a device on the network was emitting about 30K UDP packets per second, or one packet every 33 µs. I configured the oscilloscope to collect 100M samples at 1 TSPS (tera-sample per second, 1012), which multiplies out to 100 µs of data; this means we should catch 1-3 UDP packets.

    After hunting down a USB key, I ended up with a 191M .wfm file to process.

    We know our sample rate (1 TPSP) and the nominal QSGMII bit rate (5 GHz); this means that a single-bit pulse (e.g. 010) should be a 200-sample pulse. In turn, we expect a comma character to be roughly 1000 samples long (200 × 5).

    The oscilloscope and switch may not have exactly the same clock rate. If we go a long time between comma characters, we may end up sampling at the wrong position in the waveform!

    It turns out that we need to synchronize in two places:

    Comma characters tell us when a new code-group starts
    Bit transitions help us keep the clock in sync

    Storing and analyzing packets

    Decoding ethernet frames with our eyes gets old fast.

    Luckily, there are lots of good tools for working with frame data. Using the pcap library, we can write out a .pcap file to be analyzed with Wireshark.

    Here’s our full analyzer, going from .wfm to four .pcap files

    The whole pipeline – from loading the .wfm to writing the .pcap file – runs in about 410 milliseconds on my computer. Considering I put no effort into optimization, this isn’t too bad!

    Using tshark, we can confirm that these are UDP packets:

    Reply
  15. Tomi Engdahl says:

    Bits And Bytes

    Wireshark 4.00 has been released. There’s a handful of new protocols supported, and the normal library bumps you would expect. Some features see a speed improvement, and the interfaces have gotten a bit of spit’n’polish.

    https://www.wireshark.org/docs/relnotes/wireshark-4.0.0.html

    What is Wireshark?

    Wireshark is the world’s most popular network protocol analyzer. It is used for troubleshooting, analysis, development and education.
    What’s New

    We no longer ship official 32-bit Windows packages starting with this release. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release. Issue 17779

    The display filter syntax is more powerful with many new extensions. See below for details.

    The Conversation and Endpoint dialogs have been redesigned. See below for details.

    The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.

    Hex dump imports from Wireshark and from text2pcap have been improved. See below for details.

    Speed when using MaxMind geolocation has been greatly improved.

    The tools and libraries required to build Wireshark have changed. See “Other Development Changes” below for more details.

    Many other improvements have been made. See the “New and Updated Features” section below for more details.

    Reply
  16. Tomi Engdahl says:

    Wireshark 4.0 Released With Improved Hex Dump Imports
    https://hackersonlineclub.com/wireshark-4-released/

    Wireshark 4.0.0 Released – A Network Security Framework

    Wireshark is an free and open-source network analyzer. It is using for network troubleshooting, analysis, and penetration testing.

    In this version Wireshark no longer ship official 32-bit Windows packages starting with this release. If you need to use Wireshark on that platform, we recommend using the latest 3.6 release.

    Reply
  17. Tomi Engdahl says:

    I created a bash script called Purple Shark to automatically read through PCAP files and extract network traffic information. Check out this video if you’re intereste
    [Blue Team Cyber Security]
    https://youtu.be/lnBnNEV4Jtg

    Reply
  18. Tomi Engdahl says:

    Decades-old Packet Analyzer Resurfaces As An Open-Source Foundation
    https://analyticsindiamag.com/decades-old-packet-analyzer-resurfaces-as-an-open-source-foundation/

    Wireshark can be used to identify network problems such as slow response times, dropped packets and connectivity issues.

    Reply
  19. Tomi Engdahl says:

    Sniffnet is a cross-platform Rust-based network monitoring tool.

    https://news.itsfoss.com/sniffnet/

    Reply
  20. Tomi Engdahl says:

    Cheap USB Sniffer Has Wireshark Interface
    https://hackaday.com/2023/06/13/cheap-usb-sniffer-has-wireshark-interface/

    If you’ve done any development on USB hardware, you’ve probably wished you could peek at the bits and bytes as they pass through the data lines. Sometimes, it’s the only way to properly understand what’s going on. [ataradov]’s USB sniffer is built to do just that.

    To sniff high-speed USB communications, the device relies on a Lattice LCMXO2 FPGA and a Cypress CY7C68013A microcontroller, paired with a Microchip USB3343 USB PHY. This setup is capable of operating at data rates of up to 40-50 MB/s, more than enough to debug the vast majority of USB peripherals on the market.

    If you need this tool, spinning up your own is straightforward. Gerber files are available and the required components can be bought off the shelf. Once assembled, you can program the chips via USB, with no external hardware programmer required.

    https://github.com/ataradov/usb-sniffer

    Reply
  21. Tomi Engdahl says:

    Old Ethernet HUB is sometimes useful for network data sniffing with Wireshark (just plug between two communicating devices and plug PC with Wireshark to third port). Sniffing can also be done with a modern managed Ethernet switch that has monitoring port).

    HUBs are useful also if you need to test that your embedded device works OK in all Ethernet modes (those half duplex 10M and 100M modes).

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*