Wireshark-dev: Re: [Wireshark-dev] Can we put android phone device connected over USB to Win 7
From: Peter Wu <[email protected]>
Date: Tue, 24 Feb 2015 23:03:59 +0100

On Tue, Feb 24, 2015 at 08:30:09AM +0100, Michal Labedzki wrote:
> Hello,
> I think I am working on solution for you... If you have ADB (SDK) and
> tcpdump (with permissions) then I can emulate live capture from
> Android devices. Please check:
> adb shell tcpdump -D
> adb shell su -c "tcpdump -D"

Before you attempt to use the output of `adb shell` in a pipe, keep in
mind that adb mangles newlines (LF -> CRLF) and is therefore unsuitable
for binary data. This does not matter for textual output such as
"tcpdump -D", but it affects "tcpdump -w -" (writes pcap to stdout).

> Limitation: works only with Wireshark, or standalone application, not
> Windows Interface.
> On 24 February 2015 at 08:13, Shashikant Ajegaonkar
> <[email protected]> wrote:
> > Hi All,
> >
> > Has anyone tried to put WiFi interface of Android device in promiscous mode?
> > Is it possible to enumerate phone over adb interface as device  wireless
> > network interface in Win7 machine and configure it in promiscous mode for
> > sniffer application?

I have once written an Android app which can put a wireless interface in
promiscuous mode and capture layer 2 frames (802.11). There are some
issues to consider:

 - The wireless driver of my phone did not support monitor mode. So I
   bought a USB on the go cable and a Ralink 802.11n USB adapter using
   the rt2x00 driver. This driver was not supported by the custom
   firmware (Cyanogenmod) so I had to build a new kernel as well.
 - The easiest way to make use of tcpdump is by running it as root, but
   you can also use capabilities and declare a manifest permission in
   the Android app. (This required a kernel patch,
 - Battery drains fast when using an external USB adapter, phone can
   get quite hot.
 - If your firmware does not include tcpdump, it is actually quite easy
   to build it. All you need are the libpcap and tcpdump sources and the
   Android NDK.

Oh and it is not trivial to build Wireshark for Android. It has many
dependencies, and last time I looked using dumpcap/tshark, I stopped
once it notes that Glib was missing.

If you just want to debug an app on the phone, it is much easier to
setup a VPN/proxy and start tapping at the VPN or proxy server.
Kind regards,
Peter Wu