Intro
So, let’s start to say that there is a really good set of articles, written a year ago by Vincent Kornacky, that explains in details what you need(ed) to do in order to get tcpdump on your android phone:
- Monitoring Android Network Traffic Part I: Installing The Toolchain
- Monitoring Android Network Traffic Part II: Cross Compiling TCPDUMP
- Monitoring Android Network Traffic Part III: Installing & Executing TCPDUMP
- Monitoring Android Network Traffic Part IV: Forwarding To Wireshark
Unfortunately, things are changed since then (updates to the Emdebian distributions ceased, Debian Jessie evolved), so when I tried to follow the path outlined in the articles, I run into some problems, ending up that I had to do the same things (what) in a different way (how).
I strongly suggest you to read Vincent’s blog before continuing, because here you will find only a quick and dirty how-to, largely taken from the history of the commands that I had to issue on my brand new DebianJessie64 VM. And remember: if you follow these instructions, you are using them at your own risk:
Part I: Installing the toolchain
Since embedian distributuons ceased, I suggest you to follow these instructions, from Debian website, starting from:
[…] Create /etc/apt/sources.list.d/crosstools.list containing:
deb http://emdebian.org/tools/debian/ jessie main[…]
If you just downloaded and installed Debian Jessie like me, you may need to:
su(instead of setupsudo)- use
wget(instead of install curl)
wget http://emdebian.org/tools/debian/emdebian-toolchain-archive.key
apt-key add emdebian-toolchain-archive.key
dpkg --add-architecture armhf
apt-get update
apt-get install crossbuild-essential-armhf
Please note that we specify armhf here. I did not investigate further, but since there are also armle and arm64 cross-compilers (and devices?) be aware of this detail (ie: your device will work? uname -m may help). And, of course, you need to issue this command at the end to check if everything is ok:
arm-linux-gnueabihf-gcc -v
Part II: Cross compiling libpcap and tcpdump
You can do it quite easely if you follow Vincent Kornacky steps, with this caveats:
- use libpcap-1.6.2 and tcpdump-4.6.2 (I’ll try again, but I didn’t get the latest tcpdump cross-compiled with the latest libpcap)
- use arm-linux-gnueabihf-gcc instead of arm-linux-gnueabi-gcc
here you are the commands:
export CC=arm-linux-gnueabihf-gcc
wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz
tar zxvf libpcap-1.6.2.tar.gz
cd libpcap-1.6.2
./configure --host=arm-linux --with-pcap=linux
make
cd ..
wget http://www.tcpdump.org/release/tcpdump-4.6.2.tar.gz
tar zxvf tcpdump-4.6.2.tar.gz
cd tcpdump-4.6.2
export CFLAGS=-static
export CPPFLAGS=-static
export LDFLAGS=-static
./configure --host=arm-linux --disable-ipv6
make
Please note that if you have to go back and recompile libpcap (like me) you must unset CFLAGS, CPPFLAGS, LDFLAGS (and then, of course, set them again).
Part III: Installing & Executing TCPDUMP
Just follow Vincent’s steps.
Part IV: Forwarding To Wireshark
Uh, we have to cross-compile netcat… Remember to use hf, set the flags (or unset if you are doing everything in a hurry) and everything should work fine:
wget http://downloads.sourceforge.net/project/netcat/netcat/0.7.1/netcat-0.7.1.tar.gz
tar zxvf netcat-0.7.1.tar.gz
cd netcat-0.7.1
export CC=arm-linux-gnueabihf-gcc
export LDFLAGS=-static
./configure --host=arm-linux
make
again, for any further detail please read Vincent’s article.
Conclusions
Just a few more words at the end of this quick and dirty how-to:
- I tested tcpdump on an Samsung Galaxy S2 with Cyanogenmod 11
- remember that you will not probabily be able to put the wifi in promiscuous mode