56 / JUNE 2014 / WWW.LINUXJOURNAL.

COM
FEATURE Monitoring Android Traffic with Wireshark
Use some simple Linux tools and a laptop to get access to
the Internet trafc sent and received by your smartphone.
BRIAN TRAPP
Monitoring
Android
Traffic
with
Wireshark
LJ242-June2014.indd 56 5/22/14 12:36 PM
WWW.LINUXJOURNAL.COM / JUNE 2014 / 57
T
he ubiquity and convenience
of smartphones has been a real
boon for getting information
on the go. I love being able to jump
on a Wi-Fi hotspot, catch up on my
mail, check my banking balance
or read the latest tech newsall
without having to bring along or
boot up a laptop. Now that mobile
development is mainstream, most
of this access is done via specialized
apps, instead of via a Web browser.
Thi s mi grati on away from di rect
Web access i n favor of dedi cated
smartphone apps has made for a
ri cher user experi ence, but i t al so
has made knowi ng exactl y what i s
goi ng on under the hood a l ot
harder. On our Li nux boxes, there
are many tool s to hel p user peer
i nto the i nternal s of whats goi ng to
and from the machi ne. Our browsers
have si mpl e HTTP versus HTTPS
checks to see i f theres encrypti on,
and there are si mpl e but easy-to-use
browser pl ugi ns l i ke Fi rebug that l et
us vi ew exactl y whats bei ng sent
and retri eved over the Web. At the
operati ng system l evel , powerful
tool s l i ke Wi reshark l et us dri l l down
even further, capturi ng al l traffi c
fl owi ng through a network i nterface.
Smartphones usual l y are l ocked
up to a poi nt where i ts al most
i mpossi bl e for a regul ar user to run
any network moni tori ng or traci ng
software di rectl y on the phoneso
how can a curi ous user get access to
that phone traffi c?
Fortunatel y, wi th j ust a l i ttl e
bi t of work, you can use Li nux to
transform al most any l aptop i nto a
secret-shari ng wi rel ess access poi nt
(WAP), connect your phone and
vi ew the data fl owi ng to and from
the phone wi th rel ati ve ease. Al l
you real l y need i s a l aptop runni ng
Li nux wi th one wi rel ess and one
Ethernet connecti on.
Intercepting Trafc
The fi rst step i s to set up your own
naughty WAP where you can
capture and l og al l the I nternet
traffi c passi ng through i t
si mul ati ng the ki nd of i nformati on
that a rogue empl oyee coul d be
obtai ni ng from a coffee-shop
Wi -Fi hotspot. Lets do thi s i n
a di stri buti on-i ndependent way
that doesnt mess around wi th
your exi sti ng router (no need to
change securi ty setti ngs) and
doesnt requi re rooti ng or i nstal l i ng
anythi ng unseeml y on your phone.
To turn a l aptop i nto a WAP, youl l
fi rst use hostapd to use the wi rel ess
card as an access poi nt mode
(broadcasting an SSID, authenticating
wi th securi ty and so on). Next, youl l
LJ242-June2014.indd 57 5/22/14 12:36 PM
58 / JUNE 2014 / WWW.LINUXJOURNAL.COM
FEATURE Monitoring Android Traffic with Wireshark
FALSE STARTS
It may be tempting to try a shortcut
for capturing this traffic. Here are
a few techniques I tried and
discarded before sticking with a
hostapd/dnsmasq/iptables solution.
UBUNTUS BUILT-IN HOTSPOTS:
Ubuntu has a handy Use as Hotspot
feature tucked away in its networking
settings. Unfortunately, it creates hotspots
in ad hoc mode, which isnt compatible
with most versions of Android. I didnt
try Fedoras implementation, but the
method I recommend instead will work
on any distribution.
MONITOR MODE:
Its tempting just to put the wireless
card in monitor mode and capture all
wireless traffic, independent of SSID.
This is pretty cool, but there are quite
a few gotchas:
? The dri vers for your wi rel ess
card must support moni tor mode.
Many, but not al l cards support
thi s mode.
? Your capture needs to include the
four WPA handshake packets.
? Youll probably have to compile
and use airmon-ng to start monitor
mode and then capture on the mon0
pseudo-device airmon creates.
? If the WAP is using encryption,
the packets you capture also will
be encrypted. Wireshark does
have a facility to help decode the
packets, but youll need to enter
information about the security
scheme used by the WAP and
toggle a few sets of options until
the decoded packets look right.
For a first-time user, its hard
enough making sense out of
Wireshark dumps without having
to worry about toggling security
options on and off.
CAPTURING WITH THE
ANDROID EMULATOR:
Another approach would be to use
an Android emulator on your capture
device, install and then run the target
application, and capture the traffic
from the emulator. Its much harder
than it sounds actually to get a
banking app on the emulator though:
? Due to recent Android licensing
changes, the major Android VMs no
longer include the Google Play store.
(I tried both the Android SDK and the
free product from Genymotion.)
? If your phone isnt rooted, its not
easy to get the applications .apk
off your phone and onto the VM.
LJ242-June2014.indd 58 5/22/14 12:36 PM
WWW.LINUXJOURNAL.COM / JUNE 2014 / 59
use dnsmasq to provi de DNS and
DHCP servi ces for cl i ents connecti ng
on the wi rel ess connecti on. Fi nal l y,
i ptabl es masqueradi ng features
wi l l be used to di rect I P traffi c from
cl i ents on the wi rel ess connecti on
to the I nternet (vi a your Ethernet
connecti on), and then rout responses
back to the correct cl i ent on the
wi rel ess si de.
hostapd
hostapd i s a smal l uti l i ty that l ets
you create your own wi rel ess access
poi nt. I nstal l ati on i s strai ghtforward,
and confi gurati on i s j ust as easy.
Most wi rel ess cards and modern
kernel s wi l l be usi ng the mac80211
dri ver. Check yours vi a lsmod|grep
mac80211. I f thats your dri ver, fi nd
your wi rel ess devi ce vi a ifconfig,
and set up the SSI D of your choi ce
as shown bel ow for an unsecured,
total l y open access poi nt:
===[/etc/hostapd/hostapd.conf]======
interface=wlan0
driver=nl80211
ssid=WatchingU
channel=1
===[/etc/hostapd/hostapd.conf]======
I recommend not using Wi-Fi
security for this test; it would be
overkill, as your access point will
only be temporary. Should you
desire a more permanent solution,
hostapd supports many different
authentication options.
dnsmasq
Now that hostapd is ready to start
letting clients connect to your wireless
connection, you need dnsmasq to
serve DCHP and provide DNS for your
access point. Fortunately, dnsmasq is
also very easy to install and configure.
The example below is the minimum
required. Make sure the dhcp-range
you speci fy wi l l not confl i ct wi th
anythi ng al ready on your network.
By defaul t, dnsmasq wi l l read
your exi sti ng /etc/resol v.conf and
propagate the DNS setti ngs l i sted
there to i ts cl i ents. Thats a pretty
sane defaul t confi gurati on, but i f
you need somethi ng el se, use the
no-resolv opti on and speci fy the
DNS servers manual l y:
========[/etc/dnsmasq.conf]===============
interface=wlan0
dhcp-range=10.0.0.3,10.0.0.20,12h
========[/etc/dnsmasq.conf]===============
iptables
The final piece of your wireless access
point is iptables, which will use IP
Masquerading to get the traffic from
the wireless connection, send it over
LJ242-June2014.indd 59 5/22/14 12:36 PM
60 / JUNE 2014 / WWW.LINUXJOURNAL.COM
FEATURE Monitoring Android Traffic with Wireshark
the wired connection and route any
responses to back to the correct
source on the wireless side. There
are many distribution-specific ways
to save and script iptables rules, but
its simpler to create a distribution-
independent shell script to enable
iptables and network address
translation (NAT). A script for iptables
that ties in hostapd and dnsmasq
would look like the following (modify
the wlan0 and eth0 entries to match
your system):
=======[makeWAP.sh]==============
#!/bin/bash
export DEV_IN=wlan0;
export DEV_OUT=eth0;

echo "Bringing up $DEV_IN"
#This address/mask should match how you configured dnsmasq
ifconfig $DEV_IN up 10.0.0.1 netmask 255.255.255.0

echo "Starting dnsmasq"
dnsmasq

echo "Configuring iptables"
#Clear everything in iptables
iptables -Z;
iptables -F;
iptables -X;

#Turn on iptables NAT, forwarding, and enable
#forwarding in the kernel
iptables --table nat --append POSTROUTING --out-interface
?$DEV_OUT -j MASQUERADE
iptables --append FORWARD --in-interface $DEV_IN -j ACCEPT
?sysctl -w net.ipv4.ip_forward=1

echo "Starting hostapd"
hostapd /etc/hostapd/hostapd.conf 1> /dev/null
=======[makeWAP.sh]==============
To test everything, connect your
capture laptop to a wired connection
with Internet access and disconnect
any existing wireless connections.
Run the makeWAP.sh script (sudo
./makeWAP.sh) to start up the WAP.
On the phone, turn off mobile
data (for Android 4.3, this is done
via Settings?Data Usage?Mobile
data?Off), turn on Wi-Fi, and
connect to the new WAP (in the
example above the SSID would be
WatchingU). Once connected, test
a few sites to make sure you can
access data from the Internet.
If everything works, congratulations,
you have transformed your laptop
into the worlds most ridiculously
overqualified wireless router!
Wireshark
Wi reshark i s a network packet
anal yzer that youl l use to capture
and make sense of the data fl owi ng
on your newl y created access poi nt.
Youl l be merel y scratchi ng the
surface of i ts capabi l i ti es, as i t i s an
LJ242-June2014.indd 60 5/22/14 12:36 PM
WWW.LINUXJOURNAL.COM / JUNE 2014 / 61
extremel y powerful tool wi th abi l i ti es
stretchi ng wel l beyond poke at a
few packets as used i n thi s proj ect.
I nstal l Wi reshark for your versi on
of Li nux. I f at al l possi bl e, get
versi on 1.10 or hi gher, as 1.10 adds
support for decodi ng gzi ped HTTP
data on the fl y (and theres a l ot of
that). Pri or to 1.10, youd have to
save the TCP stream to a fi l e, edi t
out the header and then gunzi p i t
to vi ew the raw data. Thi s becomes
tedi ous qui ckl y, so havi ng Wi reshark
do al l that for you behi nd the scenes
i s awesome.
When runni ng Wi reshark for the
fi rst ti me, i f i t compl ai ns that there
are no devi ces avai l abl e for capture,
you have to gi ve your I D permi ssi ons
for the vari ous devi ces and
applications used by Wireshark. For
Ubuntu, run sudo dpkg-reconfigure
wireshark-common, and sel ect
the opti on to l et nonroot users
capture packets, and make sure
your I D i s i n the Wi reshark group.
For other di stri buti ons, search for
whi ch devi ces and scri pts need to be
owned by whi ch groups.
Before movi ng on to capturi ng
traffic, shut down every non-essential
app and servi ce on the phone to
make i t easi er to fi nd the traffi c of
i nterest. The fewer packets you have
to sort through, the better.
Capturing Unencrypted Web Trafc
Before you start l ooki ng for sensi ti ve
data, l ets fi rst get fami l i ar wi th
what unencrypted traffi c l ooks l i ke
i n Wi reshark.
? From the Wireshark starting screen,
select the wireless device (wlan0)
and then the Start icon to start
a new capture.
? On the phone, use a browser to go
to http://www.linuxjournal.com.
? Once the page fi ni shed l oadi ng
on the phone, press the Stop
i con i n Wi reshark, and save
the capture fi l e somewhere
safe, cal l ed somethi ng l i ke
Capture_LJ.pcapnp.
Now, l ets take a l ook at thi s
dump. Wi th the dump fi l e open
i n Wi reshark, go to Vi ew?Name
Resol uti on and make sure Enabl e
for Network Layer i s checked.
Thi s wi l l i mprove readabi l i ty
by transl ati ng I P addresses to
hostnames. The i ni ti al vi ew (Fi gure
1) can be sort of i nti mi dati ng, but
there are some si mpl e ti ps to make
decodi ng thi s data easi er.
As shown i n Fi gure 1, Wi resharks
dump screen has one row per TCP
packet, but the data i s more easi l y
LJ242-June2014.indd 61 5/22/14 12:36 PM
62 / JUNE 2014 / WWW.LINUXJOURNAL.COM
FEATURE Monitoring Android Traffic with Wireshark
consumed when reassembl ed i nto
a ful l TCP stream. To get the ful l
stream, ri ght-cl i ck on any row
where the source or desti nati on
i s www.l i nuxj ournal .com, and
choose Fol l ow TCP Stream. Thi s
automati cal l y wi l l fi nd al l the rel ated
packets and group them together i n
an easi er-to-read format.
I n thi s exampl e, you can see the
HTTP GET request from my phone
i n red, and the HTTP response from
the Li nux Journal Web server i n
bl ue. Here i s where you can start
to see unencrypted i nformati on
fl owi ng back and forth from the
server. Si nce the server responses
Content-Type header i ndi cates
that the response i s a JPEG i mage,
you can vi ew that i mage wi th a
l i ttl e bi t of extra mani pul ati on.
Press the Save As button to
save the stream to a temporary
fi l e (use RAW format), then use an
edi tor l i ke emacs or vi to tri m out
the header text from the i mage
Figure 1. Wireshark Output
LJ242-June2014.indd 62 5/22/14 12:36 PM
WWW.LINUXJOURNAL.COM / JUNE 2014 / 63
bi nary contents. I t takes a l i ttl e bi t
of practi ce, but i ts usual l y pretty
obvi ous where the HTTP header
stops and the bi nary bi ts begi n.
Once youve removed the header
(and any stray footer or additional
header sections), you can save the file
with a .jpeg extension and view it.
Continue browsing through
the dump manually and look for
interesting TCP segments. You
also could take a more systematic
approach by using Wiresharks
filtering capabilities. Use a filter like
Figure 2. Follow TCP Stream
LJ242-June2014.indd 63 5/22/14 12:36 PM
64 / JUNE 2014 / WWW.LINUXJOURNAL.COM
FEATURE Monitoring Android Traffic with Wireshark
Figure 3. Raw TCP Dump
Figure 4. Filtering to a Single TCP Stream
LJ242-June2014.indd 64 5/22/14 12:36 PM
WWW.LINUXJOURNAL.COM / JUNE 2014 / 65
tcp.stream eq 1 (Figure 4), and
keep iterating the stream ID until
youve seen all the streams, drilling
down with Follow Stream if the
packets look promising.
Capturing Low-Sensitivity
Application Trafc
Now that youre getting a little more
comfortable with capturing and
viewing dumps with Wireshark, lets
try peeking at the information coming
to and from an Android application.
For this next test, I used the app
reddit is fun since it sends and
receives non-sensitive data that is
probably not encrypted.
Capture an app search or query
using the same technique as before:
start Wireshark on the laptop, launch
and exercise the app from the phone,
then stop Wireshark and save the
capture file.
Figure 5 shows an example TCP
stream from reddit is fun.
Again, the request from the app
is in red, and the response from the
reddit server is in blue. Note that
since the request is not encoded,
anyone monitoring the WAP would
be able to detect your interest in
Raspberry Pi data. The content-type
of the response is JSON, and even
though the Content-Encoding is set
to gzip, Wireshark is letting you
view the content body as pure JSON.
If the data in your TCP Stream page
looks garbled, you may have an older
version of Wireshark that doesnt
support on-the-fly gzip decoding.
Figure 5. Gzip-Encoded JSON
LJ242-June2014.indd 65 5/22/14 12:36 PM
66 / JUNE 2014 / WWW.LINUXJOURNAL.COM
FEATURE Monitoring Android Traffic with Wireshark
Either save the contents to a file and
gunzip on your own, or upgrade your
version of Wireshark.
Note: l ook at that hi l ari ous
Server header i n the responsei s
some cl ever reddi t engi neer sendi ng
?? ??? ? ?? ???? ?? ?????? ?? ????
scri pt ki ddi es?
Capturing High-Sensitivity App Data
By now, the process to capture
traffi c from an app shoul d be
pretty strai ghtforward. Lets
try runni ng a banki ng or hi gh-
sensi ti vi ty app and use the tri cks
descri bed earl i er to see i f you can
detect the appl i cati on sendi ng any
i nformati on i n the cl ear that i t
shoul dnt. To be perfectl y honest,
the odds of fi ndi ng such a
l ow-l evel ( and easi l y avoi dabl e)
fl aw are goi ng to be very, very l ow.
Androi d appl i cati on devel opment
i s pretty mature now, and the
Figure 6. Encrpyted Traffic
LJ242-June2014.indd 66 5/22/14 12:36 PM
WWW.LINUXJOURNAL.COM / JUNE 2014 / 67
Androi d l i brari es make usi ng SSL
encrypti on pretty easy. I t feel s
good to doubl e-check though, so
fol l ow the same steps as before,
but l og on to a banki ng appl i cati on
of your choi ce.
Now, as you step through the
TCP streams, you shoul d note a
few maj or di fferences. Most of
the traffi c wi l l be HTTPS i nstead
of HTTP, and the protocol wi l l be
TLS i nstead of TCP or HTTP. I n
addi ti on, the TCP stream no
l onger wi l l contai n human-readabl e
content, even after tryi ng the
standard gunzi p tri cks (Fi gure 6).
Step through the TCP streams,
following each one, and verify that
theres no plain text or unencrypted
communications that are exposing
anything scary.
Next Steps
Now that you ve al most certai nl y
not found anythi ng scary, where
el se can these network moni tori ng
ski l l s be appl i ed? Here are some
fun i deas:
? Attach a console like a Wii or PS3
and see what kind of information
it sends at startup and logon.
? Create a WAP that doesnt
actual l y go anywhere and
j ust see what tri es to connect.
Maybe theres a devi ce usi ng
Wi -Fi that you di dnt even
know about?
? Get the SSL certificate for a
server you support, and try out
Wiresharks SSL decoding.
? Reverse the wl an0 and eth0
desi gnati ons i n the scri pts and
set up the system backwards
(connect the l aptops Wi -Fi to
your exi sti ng WAP, and pl ug
a devi ce i n to the l aptops
Ethernet port) to moni tor the
output of wi red-onl y devi ces.
My smart Bl u-ray pl ayer
was communi cati ng wi th al l
sorts of unexpected pl aces
at startup!?
Brian Trapp serves up a spicy gumbo of Web-based yield
reporting and analysis tools for hungry semiconductor
engineers at one of the leading semiconductor research and
development consortiums. His signature dish has a Java base
with a dash of JavaScript, Perl, Bash and R, and his kitchen
has been powered by Linux ever since 1998. He works from
home in Buffalo, New York, which is a shame only because
that doesnt really fit the whole chef metaphor.
Send comments or feedback via
http://www.linuxjournal.com/contact
or to ljeditor@linuxjournal.com.
LJ242-June2014.indd 67 5/22/14 12:36 PM