Gather packets from your Android without ARP spoofing…
Dumping packets..

Dumping packets..

So a while back I had written about gathering packets from the android phone – often using simple ARP spoofing and Wireshark to grab all the traffic. Sadly I kept postponing this post and then just forgot to put it up, showing how to grab the packets in a much easier way, which doesn’t even require you to put your android phone on a WIFI network.

I’m not sure why this method never seemed to dawn on me in the beginning – since it’s so simple basically and has come in hand numerous times since πŸ™‚

On your computers shell/cmd;

adb shell tcpdump -vv -s 0 -w /sdcard/output.cap

A quick run down of the switches we are using are the following;

-vv puts tcpdump into verbose mode – to give us some extra information
-s 0 sets the size of sender to look for to zero, telling the program to grab all packets
-w /sdcard/output.cap will let us set the packets grabbed to be written to the sdcard for analysis later.

Once your done just break the command (control-c) and go open up the .cap file with your favorite analyzer like wireshark.

You can also just run this command from your favorite terminal on the phone — allowing you to grab packets on the go. This should be pretty obvious, though I feel I must say it since people seem to think adb is something unlike a terminal? I’m not sure why this comes up, but people end up pasting the same thing I’ve done often, and then saying “You can just do it in a terminal on the phone, and it’s easiierr!”. Well yes, yes you can… Though copy-pasta-ing someones idea doesn’t make your much brighter πŸ˜‰

Directly on the phone, or already adb’ed into it;

tcpdump -vv -s 0 -w /sdcard/output.cap

Update: 8/31/09 I’ve pulled the tcpdump from my rom and uploaded it to my server, you can download it here: tcpdump. It is tcpdump version 3.9.8 libpcap version 0.9.8 – for anyone wondering. Push this file to you /system/bin or /system/xbin and then chmod’ing it to be executable should make this work. Enjoy!

  1. Works great, but I had to first download the tcpdump binary off the internet and adb push it into the /system/bin directory.

  2. Hi,
    I can not find the tcpdump command in my terminal… I’m running a modified rom (JacHero) on it, what are you running?
    (reply to mail please)

  3. Ah, I just assumed most rom’s contained the tcpdump — I guess not.

    If someone is not sure if they have tcpdump on their rom, simple do a;

    find / -name tcpdump

    Mine was located in /system/xbin/ – using RA’s modded rom.

  4. Mmmm. I guess it just runs with rooted phones. Anyway, I imagine tcpdump output can be used in applications like… aircrack?

  5. @David

    Yes i’d assume it only works on rooted phones.

    As for using the output in an application like aircrack… I’m not sure I’d see the point? If you have physical access to the device then you probably set it up for the wifi access?

    The most common use would be for analyzing output of programs using something like wireshark.

  6. Well, Now I have the data from Android Market, but it is a binary.

    Do you know how can I decompile this, and use for something?

  7. @Alex

    Well thats up to you what you use it for. Look at the other postings and maybe you’ll learn some other tricks. I’m sure I’ll be posting more on how to decode this and what not.

  8. I need obtain info about Market (if is possible) but not from my Android terminal, instead from PHP script.

    There is not an API from Android Market, but I can’t understand why is so complicated to know the categories, applications, screenshots, developers… Do you have more information about ?

    Thank you!

  9. @Alex

    Yes I do — essentially what your looking to do is what cyrket/androlib has done. Feel free to email me if you’d like – but I’d rather not hold a discussing in the comments section as it’s not the proper forum for it πŸ™‚

  10. Hi Tim,

    I too am working on something that requires sapping to the android market and collecting info. Could you provide your email address, so we could discuss this over email? Thanks

  11. Hi Tim,
    Me too. Would you please share your info with me?
    My email [email protected]

  12. I have been interested in pulling market data so I can instantly have statistics regarding my own apps without relying on 3rd party sites. I would be interested in any additional information you might have. Be forewarned since it has been since the days of the Playstation since I have done any meaningful reverse engineering. =)

  13. I just don’t undestand why Google Android Market dont provide a website that display the Android Market Application and Game information in real time. They should do this to compete with iPhone AppStore.

  14. Tim,

    I don’t have your e-mail. Can you e-mail me? I’m very interested in your offer πŸ™‚

    Thank You

  15. Hello. I’ve done some reversing of the android market,
    and i’m able to do searches and downloads … however i did manual parsing of the returned data (no protobuffers) ….
    then i found your site, and i wondered if you maybe put toghether the .proto file to read in the responses from searches, and also to create the POST requests ?

    i would mail you, but i couldnt find your contact …. so please, contact me if you can share some information with me, as i dont realy feel like reinventing the wheel


  16. It sounds like youre creating problems yourself by trying to solve this issue instead of looking at why their is a problem in the first place

  17. Tim,
    What is your email address; I would like to discuss few things with you.

  18. wow nice share.
    i will try to at my android cell phone.
    thanks πŸ™‚

Your Name Email Website