tcpdump on android (quick and dirty how-to)

This is a quick and dirty how-to based on an excellent android tcpdump tutorial written last year. Things are changed since then, so we have to arrange something in order to get tcpdump up and running on our android phone.


So, let’s start to say that there is a really good set of articles, written a year ago by Vincent Kornacky, that explains in details what you need(ed) to do in order to get tcpdump on your android phone:

Unfortunately, things are changed since then (updates to the Emdebian distributions ceasedDebian Jessie evolved), so when I tried to follow the path outlined in the articles, I run into some problems, ending up that I had to do the same things (what) in a different way (how).

I strongly suggest you to read Vincent’s blog before continuing, because here you will find only a quick and dirty how-to, largely taken from the history of the commands that I had to issue on my brand new DebianJessie64 VM. And remember: if you follow these instructions, you are using them at your own risk:


Part I: Installing the toolchain

Since embedian distributuons ceased, I suggest you to follow these instructions, from Debian website, starting from:

[…] Create /etc/apt/sources.list.d/crosstools.list containing:
deb jessie main […]

If you just downloaded and installed Debian Jessie like me, you may need to:

  • su (instead of setup sudo)
  • use wget (instead of install curl)

apt-key add emdebian-toolchain-archive.key
dpkg --add-architecture armhf
apt-get update
apt-get install crossbuild-essential-armhf

Please note that we specify armhf here. I did not investigate further, but since there are also armle and arm64 cross-compilers (and devices?) be aware of this detail (ie: your device will work? uname -m may help). And, of course, you need to issue this command at the end to check if everything is ok:

arm-linux-gnueabihf-gcc -v

Part II: Cross compiling libpcap and tcpdump

You can do it quite easely if you follow Vincent Kornacky steps, with this caveats:

  • use libpcap-1.6.2 and tcpdump-4.6.2 (I’ll try again, but I didn’t get the latest tcpdump cross-compiled with the latest libpcap)
  • use arm-linux-gnueabihf-gcc instead of arm-linux-gnueabi-gcc

here you are the commands:

export CC=arm-linux-gnueabihf-gcc
tar zxvf libpcap-1.6.2.tar.gz
cd libpcap-1.6.2
./configure --host=arm-linux --with-pcap=linux
cd ..
tar zxvf tcpdump-4.6.2.tar.gz
cd tcpdump-4.6.2
export CFLAGS=-static
export CPPFLAGS=-static
export LDFLAGS=-static
./configure --host=arm-linux --disable-ipv6

Please note that if you have to go back and recompile libpcap (like me) you must unset CFLAGS, CPPFLAGS, LDFLAGS (and then, of course, set them again).

Part III: Installing & Executing TCPDUMP

Just follow Vincent’s steps.

Part IV: Forwarding To Wireshark

Uh, we have to cross-compile netcat… Remember to use hf, set the flags (or unset if you are doing everything in a hurry) and everything should work fine:

tar zxvf netcat-0.7.1.tar.gz
cd netcat-0.7.1
export CC=arm-linux-gnueabihf-gcc
export LDFLAGS=-static
./configure --host=arm-linux

again, for any further detail please read Vincent’s article.


Just a few more words at the end of this quick and dirty how-to: