Capturing mobile phone traffic on Wireshark

Question

How can I capture mobile phone traffic on Wireshark?

Answer 1

Here are some suggestions:

1. For Android phones, any network: Root your phone, then install tcpdump on it. This app is a tcpdump wrapper that will install tcpdump and enable you to start captures using a GUI. Tip: You will need to make sure you supply the right interface name for the capture and this varies from one device to another, eg -i eth0 or -i tiwlan0 - or use -i any to log all interfaces

2. For Android 4.0+ phones: Android PCAP from Kismet uses the USB OTG interface to support packet capture without requiring root. I haven't tried this app, and there are some restrictions on the type of devices supported (see their page)

3. For Android phones: tPacketCapture uses the Android VPN service to intercept packets and capture them. I have used this app successfully, but it also seems to affect the performance with large traffic volumes (eg video streaming)

4. For IOS 5+ devices, any network: iOS 5 added a remote virtual interface (RVI) facility that lets you use Mac OS X packet trace programs to capture traces from an iOS device. See here for more details

5. For all phones, wi-fi only: Set up your Mac or PC as a wireless access point, then run wireshark on the computer.

6. For all phones, wi-fi only: Get a capture device that can sniff wi-fi. This has the advantage of giving you 802.11x headers as well, but you may miss some of the packets

7. Capture using a VPN server: Its fairly easy to set-up your own VPN server using OpenVPN. You can then route your traffic through your server by setting up the mobile device as a VPN client and capture the traffic on the server end.

Answer 2

As a Wireshark alternative/companion for Android, you can try my open source app PCAPdroid. On non-rooted devices, it uses the VPNService to capture the traffic with some limitations. On rooted devices, it uses libpcap to provide an accurate capture.

You can analyze connections and packets payload directly into the app, or export the traffic in PCAP format to analyze it on a PC with Wireshark. It has many other cool features, give it a try!

Answer 3

I've had success using mitmproxy and found this tutorial particularly helpful for capturing network traffic on Android devices (but it should also work on iOS devices).

To summarize the tutorial:

1. The computer and mobile device should be on the same network.
2. Run brew install mitmproxy
3. Run mitmproxy, which runs mitmproxy on port 8080 (by default)
4. Find your computer's private IP address.
5. On your mobile device, configure its network to use your computer's IP address, port 8080 as its proxy.
6. On your mobile device, navigate to mitm.io to download and install a mitmproxy-provided certificate.
7. Depending on your version of Android, you may need to explicitly tell your app to allow user CA certificates by creating a res/xml/network_security.xml file (with the contents shown below) and by adding android:networkSecurityConfig=”@xml/network_security_config" to your AndroidManifest.xml's application element.

<network-security-config>
   <debug-overrides>
      <trust-anchors>
         <certificates src="system" />
         <certificates src="user" />
      </trust-anchors>
   </debug-overrides>
</network-security-config>

Answer 4

For iOS Devices:

⦿ Open Terminal and simply write:

rvictl -s udid

it'll open an interface on Wireshark with a name, In my case its rvi0.

udid is iPhone's unique device id.

(How to find my iOS Device UDID)

Answer 5

I had a similar problem that inspired me to develop an app that could help to capture traffic from an Android device. The app features SSH server that allows you to have traffic in Wireshark on the fly (sshdump wireshark component). As the app uses an OS feature called VPNService to capture traffic, it does not require the root access.

The app is in early Beta. If you have any issues/suggestions, do not hesitate to let me know.

Download From Play

Tutorial in which you could read additional details

Answer 6

Preconditions: adb and wireshark is installed on your computer and you have a rooted android device.

1. Download tcpdump to ~/Downloads
2. adb push ~/Downloads/tcpdump /sdcard/
3. adb shell
4. su root
5. mv /sdcard/tcpdump /data/local/
6. cd /data/local/
7. chmod +x tcpdump
8. ./tcpdump -vv -i any -s 0 -w /sdcard/dump.pcap
9. CTRL+C after you've captured enough packets.
10. exit
11. exit
12. adb pull /sdcard/dump.pcap ~/Downloads/

Now you can open the pcap file using Wireshark.

Answer 7

For Android, I previously used tPacketCapture but it didn't work well for an app streaming some video. I'm now using Shark. You need to be root to use it though.

It uses TCPDump (check the arguments you can pass) and creates a pcap file that can be read by Wireshark. The default arguments are usually good enough for me.

Answer 8

Packet Capture Android app implements a VPN that logs all network traffic on the Android device. You don't need to setup any VPN/proxy server on your PC. Does not needs root. Supports SSL decryption which tPacketCapture does not. It also includes a good log viewer.

Answer 9

Wireshark + OSX + iOS:

Great overview so far, but if you want specifics for Wireshark + OSX + iOS:

• install Wireshark on your computer
• connect iOS device to computer via USB cable
• connect iOS device and computer to the same WiFi network
• run this command in a OSX terminal window: rvictl -s x where x is the UDID of your iOS device. You can find the UDID of your iOS device via iTunes (make sure you are using the UDID and not the serial number).
• goto Wireshark Capture->Options, a dialog box appears, click on the line rvi0 then press the Start button.

Now you will see all network traffic on the iOS device. It can be pretty overwhelming. A couple of pointers:

• don't use iOS with a VPN, you don't be able to make sense of the encrypted traffic
• use simple filters to focus on interesting traffic
• ip.addr==204.144.14.134 views traffic with a source or destination address of 204.144.14.134
• http views only http traffic

Here's a sample window depicting TCP traffic for for pdf download from 204.144.14.134:

Answer 10

Similarly to making your PC a wireless access point, but can be much easier, is using reverse tethering. If you happen to have an HTC phone they have a nice reverse-tethering option called "Internet pass-through", under the network/mobile network sharing settings. It routes all your traffic through your PC and you can just run Wireshark there.

Answer 11

Install Fiddler on your PC and use it as a proxy on your Android device.

Source: http://www.cantoni.org/2013/11/06/capture-android-web-traffic-fiddler

Answer 12

In addition to rupello's excellent answer, a "dirty" but very effective trick:

For all phones, any (local) network: Set up your PC to Man-In-The-Middle your mobile device.

Use Ettercap to do ARP spoofing between your mobile device and your router, and all your mobile's traffic will appear in Wireshark. See this tutorial for set-up details

Answer 13

Another option which has not been suggested here is to run the app you want to monitor in the Android emulator from the Android SDK. You can then easily capture the traffic with wireshark on the same machine.

This was the easiest option for me.

Answer 14

For Android phone I used tPacketCapture: https://play.google.com/store/apps/details?id=jp.co.taosoftware.android.packetcapture&hl=en

This app was a lifesaver I was debugging a problem with failure of SSL/TLS handshake on my Android app. Tried to setup ad hoc networking so I could use wireshark on my laptop. It did not work for me. This app quickly allowed me to capture network traffic, share it on my Google Drive so I could download on my laptop where I could examine it with Wireshark! Awesome and no root required!

Answer 15

Make your laptop a wifi hotspot for your phone (any) and connect it to internet. Sniff Traffic on your wifi interface using wireshark.

you will get to know a lot of anti privacy stuff!