Gather packets from your Android without ARP spoofing...

Dumping packets..
So a while back I had written about gathering packets from the android phone - often using simple ARP spoofing and Wireshark to grab all the traffic. Sadly I kept postponing this post and then just forgot to put it up, showing how to grab the packets in a much easier way, which doesn’t even require you to put your android phone on a WIFI network.

I’m not sure why this method never seemed to dawn on me in the beginning - since it’s so simple basically and has come in hand numerous times since :)

On your computers shell/cmd;

adb shell tcpdump -vv -s 0 -w /sdcard/output.cap

A quick run down of the switches we are using are the following;

  • -vv_ puts tcpdump into verbose mode - to give us some extra information
  • -s 0 sets the size of sender to look for to zero, telling the program to grab all packets
  • -w /sdcard/output.cap will let us set the packets grabbed to be written to the sdcard for analysis later.

Once your done just break the command (control-c) and go open up the .cap file with your favorite analyzer like wireshark. You can also just run this command from your favorite terminal on the phone – allowing you to grab packets on the go. This should be pretty obvious, though I feel I must say it since people seem to think adb is something unlike a terminal? I’m not sure why this comes up, but people end up pasting the same thing I’ve done often, and then saying “You can just do it in a terminal on the phone, and it’s easiierr!”. Well yes, yes you can… Though copy-pasta-ing someones idea doesn’t make you much brighter ;)
Directly on the phone, or already adb’ed into it;

tcpdump -vv -s 0 -w /sdcard/output.cap**

Update: 8/31/09 I’ve pulled the tcpdump from my rom and uploaded it to my server, you can download it here: tcpdump. It is tcpdump version 3.9.8 libpcap version 0.9.8 - for anyone wondering. Push this file to you /system/bin or /system/xbin and then chmoding it to be executable should make this work. Enjoy!