I have an android device (simulated with Genymotion on top off virtualBox) on my host computer(ubuntu).
which interface I should capture to have both incoming and outgoing traffic of android devices?
Download tcpdump for android from here: https://www.androidtcpdump.com/android-tcpdump/downloads
Use the following commands to setup all the things.
adb root
adb remount
adb push ./tcpdump /system/xbin/tcpdump
ToUse:
adb shell
tcpdump -D
tcpdump -vv -i any -s 0 -w /sdcard/dump.pcap
adb pull /sdcard/dump.pcap .
Then analyze the pcap file in Wireshark if you want.
This answer might help https://stackoverflow.com/a/48062718/20107. It's using Wireshark but it should be easy to adapt to tcpdump.
Related
Is there any possibility to capture packets by tcpdump from all devices in MacOS?
In Linux I would use 'sudo tcpdump -i any'. In my MacOS when I execute 'sudo tcpdump -D', I don't see "any" pseudo-device.
Per #ChristopherMaynard:
tcpdump docs specify any as working on linux: On Linux systems with 2.2 or later kernels, an interface argument of ``any'' can be used to capture packets from all interfaces. However, it is not actually OS-specific.
tcpdump accepts the any interface on macos in my testing, so in answer to your question, the analog of any on linux is any on macos:
bash-5.0 $ sudo tcpdump -i any
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
09:43:57.789302 IP6 dsldevice7.attlocal.net.domain > 2600:1700:a700:7340:6dad:2758:c536:f29f.56483: 4283 1/0/0 SOA (85)
09:43:57.789324 IP6 2600:1700:a700:7341:6dad:2759:c536:f29f > dsldevice7.attlocal.net: ICMP6, destination unreachable, unreachable port, 2600:1700:a700:7340:6ded:2759:c536:f29f udp port 56423, length 141
...
tcpdump should have the same options (manpage)
on both macos and linux, apart from those detailed below. If you have an older version of tcpdump (my version is 4.9.3/Apple version 83.200.3), you can update it with brew install tcpdump.
Macos/Linux Tcpdump Differences
You should still look at the manpages when in doubt, but this is a summary of differences:
Linux
-Q direction : Choose send/receive direction (in/out/inout)
Macos
-k : Control display of packet metadata
-Q : Specify a filter expression based on packet metadata
-P : Save to pcapng
Note: Unlike Linux or *BSD, Macos does not support -Q direction.
My setup is complicated and I think I have a clear way ahead, but please let me know if you see a better way to accomplish my end state of using a terminal window over Xbee. My use case is that RPI #1 has internet connectivity, but RPI #2 does not, and I want to fully control and access RPI #2 via RPI #1 over Xbee.
I have x2 Raspberry Pi 3B+ and am using x2 Xbee Pro S3B modules to communicate between the RPIs over Xbee USB Development Shields. The Xbees show on the RPIs as /dev/ttyUSB0. I want to use the Xbees as a transportation layer to the RPIs, much like 802.11/15 or plain old ethernet would be used in a headless situation with bash. The Xbees are running at 115200 baud rate, and are named and setup via the X-CTU tool. I have no illusions of high speed data, but want to "see" RPI #2 terminal on RPI #1, the same as when SSH is accomplished with traditional transport layers.
I am able to use the Xbees in Transparent Mode, and send plain text with Screen, Minicom, "echo "text here" > /dev/ttyUSB0", and "cat < /dev/ttyUSB0". Despite the ability to pass messages, I want to use these plain text messages as bash input. For example, when I pass the command ls via any of the three methods listed from RPI 1, I want to have bash exectue "ls" on RPI 2, not just see it listed on the screen for RPI 2.
I've found several tools for Xbee, but don't want to wire up the GPIO pins and go that method; I want to use the Xbees as simple transport, nothing more. How do I pass text from /dev/ttyUSB0 to bash as a command, and see the results? Short of a more direct route, I'm considering using crontabs and an executable file that is erased and re-written to accomplish this task, but feel that is a last, very ineffective, method.
Is there some tool I am missing that does this already? Can I "screen" over a serial port as command line and serial I/O simultanously?
I found pyserial, which could allow for a TCP binding to the /dev/ttyUSB0 port, but am not sure if that is the right way to go or not. As of now, my code is as simple as
RPI #1:
echo "ls" > /dev/ttyUSB0
RPI #2:
cat < /dev/ttyUSB0
I was able to send and recieve commands from command line of a local (although remoted) XBee host to a remote (secondary, off net) Xbee host. I found the answer when I started looking at how serial devices could open a login terminal, and arrived at the getty tool. Here are my setup instructions for Transparent Mode use, I am still trying to get python-xbee and other tools to work to allow for the same concept, but via API mode. Note that the below instructions are a 95% solution, but should get the common user to a solid way ahead. I am not the original author of the steps below in their format, but found each step and combined them through various other Q&A forums to arrive at a solution:
First, acquire Digi Xbee X-CTU software (does not install on ARM devices such as Raspberry or Odroid):
XCTU:
Install from the following Digi.com link, but navigate to the corrresponding software FTP link:
https://www.digi.com/support/productdetail?pid=3352&type=drivers
Linux 64 Bit: ftp://ftp1.digi.com/support/utilities/40002881_R.run
Linux 32 Bit: ftp://ftp1.digi.com/support/utilities/40002880_R.run
Windows: ftp://ftp1.digi.com/support/utilities/40003026_T.exe
Mac: ftp://ftp1.digi.com/support/utilities/40003026_T.exe
Install X-CTU Via:
sudo wget ftp://ftp1.digi.com/support/utilities/40002880_R.run
sudo mv 40002881_R.run xctu_64bit.run
sudo chmod +x xctu_64bit.run
sudo ./xctu_64bit.run
Find X-Bee Device:
make sure Xbee is not plugged into a hub, power will be too little, recognizable via the below error, YMMV:
dmesg | grep ttyUSB0
and returning error: [ 228.800021] ftdi_sio ttyUSB0: failed to get modem status: -32
lsusb -v -d 0403:6001
sudo nano /boot/cmdline.txt
change the console tty device from AMA to USB, then for the kgdboc, which allows the remote end to watch the boot process, add/make match as appropriate
console=ttyUSB0,115200 kgdboc=ttyUSB0,115200
sudo nano /etc/inittab
make sure to uncomment (remove #) if present, change tty from AMA to USB
T0:23:respawn:/sbin/agetty -L ttyUSB0 115200 vt100
On Ubuntu x86 system, use X-CTU via
sudo ./XCTU.desktop
update firmware to the latest version
currently 8075 for the Pro S3B, then set baud rate to 115200 on each device
other xbees on in the vicinity can be updated by using a local xbee via X-CTU, then setting the api mode to “api mode with escapes”. Note that Transparent Mode should be used unless you have an indepth knowlege to make API mode work. I started with Transparent Mode to demonstrate the below works, but have since moved to API mode to gain the enhanced send-recieve control capabilities (pending a working version as of this writing).
do the same steps for all the devices that will be used on the network; once the local device is complete, other remote devices can be updated if visible (close enough).
Close out X-CTU and add the current user to the dialout group via:
sudo usermod -a -G dialout root
reboot then:
Setup Minicom Via:
sudo aptitude install minicom
minicom -s
serial port setup
a, set to /dev/ttyUSB0, then hit enter
e, set baud rate to 115200, then hit enter
hit enter again to close the window and arrive at the configuration page of minicom
select to save as dfl, followed by enter
then move to exit, and hit return
test connection to a locally connected device via
three plus symbols without hitting return
if it replies “ok” in a few seconds or less, all is well
OR Screen:
screen /dev/ttyUSB0
again, if you see a login prompt, you are connected. Note that screen is probably the best choice for most users; it has the inherent quality of ease of use (when compared to Minicom), handles low bandwidth connections with ease, and stays alive despite a disconnect from remote host. Ctl+a and then k will disconnect.
Install Coreutils to add more options than Minicom (Screen is also advisable):
sudo aptitude install coreutils && screen
stty -F /dev/ttyUSB0 -a
this will check serial port capabilities and settings
Communicate with your devices:
Note you interact with your network on a local machine with an X-Bee plugged in, or on a remote device you SSH over the internet, as long as it has an X-Bee attached. Also, note that the below settings to rc.local weren't keeping my settings after a reboot; this is a work in progress. I was setting them manually until I got automation worked out.
Also, I added rc.local to the RPI manually, the how-to for that is out there somewhere:
sudo systemctl stop serial-getty#ttyAMA0.service
sudo systemctl disable serial-getty#ttyAMA0.service
sudo systemctl enable serial-getty#ttyUSB0.service
sudo nano /etc/rc.local
add the below before exit 0
The stty line is twice because it has been noted that the first instance changes the reported baud rate to 9600, the second to 115200. If you are doing this manually, do a “stop” then re-do the start command to receive the prompt. This could be automated; I will update this post with a process monitor.
stty -F /dev/ttyUSB0 speed 115200 cs8 -cstopb -parenb raw
stty -F /dev/ttyUSB0 speed 115200 cs8 -cstopb -parenb raw
sudo systemctl start serial-getty#ttyUSB0.service
Then, use Minicom, Screen, or "cat" and "watch" to view messages sent. When using Minicom you will receive a login prompt via the above directions. As previously stated, I am still trying to get this working smoothly for API mode, but at least I know I have connectivity and can do basic command & control via the command line remotely with Transparent Mode, including running command line programs and commands. Transparent Mode does not offer any enhanced RF propagation correction techniques, hence my desire to get API mode working; RSSI values and error correction would be nice.
The .cap file is captured on AIX v7.1 by iptrace -a -T -b -d XXX.XXX.XX.XXX mycap.cap
when I try to open it with wireshark/tshark on MAC OSX, it shows:
The capture file appears to be damaged or corrupt. (pcap: File has 3130924352-byte packet, bigger than maximum of 262144)
I think it's iptrace's problem. as this is given once I try it with tcpdump -r:
SONGMBP:toibm6 song$ tcpdump -r bk22.cap
reading from file bk22.cap, link-type EN10MB (Ethernet)
-5:-46:-20.131076 [|ether]
tcpdump: pcap_loop: bogus savefile header
SONGMBP:toibm6 song$
my tcpdump version is shipped with MAC OS X.
So why ? thanks in advance.
I dropped the idea. Even ipreport -T on the same host of AIX couldn't parse the data.
Thanksfully newer versions of AIX ships tcpdump with it. So... I'll go for tcpdump instead.
I have USB debugging on and I am showing that the Target is connected I however am unable to connect the host.
When I run the below command on my PC I get output indicating that the command is not complete.
adb forward tcp:4444 localabstract:/adb-hub; adb connect localhost:4444
Output:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Android Studio>adb forward
tcp: 4444 localabstract:/adb-hub;adb connect localhost:4444
Android Debug Bridge version 1.0.31
-a - directs adb to listen on all interfaces for a c
onnection
-d - directs command to the only connected USB devic
e
returns an error if more than one USB device is
present.
-e - directs command to the only running emulator.
returns an error if more than one emulator is r
unning.
-s <specific device> - directs command to the device or emulator with
the given
serial number or qualifier. Overrides ANDROID_S
ERIAL
environment variable.
-p <product name or path> - simple product name like 'sooner', or
a relative/absolute path to a product
out directory like 'out/target/product/sooner'.
If -p is not specified, the ANDROID_PRODUCT_OUT
environment variable is used, which must
be an absolute path.
-H - Name of adb server host (default: localhost)
-P - Port of adb server (default: 5037)
devices [-l] - list all connected devices
('-l' will also list device qualifiers)
connect <host>[:<port>] - connect to a device via TCP/IP
Port 5555 is used by default if no port number
is specified.
disconnect [<host>[:<port>]] - disconnect from a TCP/IP device.
Port 5555 is used by default if no port number
is specified.
Using this command with no additional arguments
will disconnect from all connected TCP/IP devic
es.
device commands:
adb push <local> <remote> - copy file/dir to device
adb pull <remote> [<local>] - copy file/dir from device
adb sync [ <directory> ] - copy host->device only if changed
(-l means list but don't copy)
(see 'adb help all')
adb shell - run remote shell interactively
adb shell <command> - run remote shell command
adb emu <command> - run emulator console command
adb logcat [ <filter-spec> ] - View device log
adb forward --list - list all forward socket connections.
the format is a list of lines with the followin
g format:
<serial> " " <local> " " <remote> "\n"
adb forward <local> <remote> - forward socket connections
forward specs are one of:
tcp:<port>
localabstract:<unix domain socket name>
localreserved:<unix domain socket name>
localfilesystem:<unix domain socket name>
dev:<character device name>
jdwp:<process pid> (remote only)
adb forward --no-rebind <local> <remote>
- same as 'adb forward <local> <remote>' but fail
s
if <local> is already forwarded
adb forward --remove <local> - remove a specific forward socket connection
adb forward --remove-all - remove all forward socket connections
adb jdwp - list PIDs of processes hosting a JDWP transport
adb install [-l] [-r] [-s] [--algo <algorithm name> --key <hex-encoded key> --
iv <hex-encoded iv>] <file>
- push this package file to the device and instal
l it
('-l' means forward-lock the app)
('-r' means reinstall the app, keeping its data
)
('-s' means install on SD card instead of inter
nal storage)
('--algo', '--key', and '--iv' mean the file is
encrypted already)
adb uninstall [-k] <package> - remove this app package from the device
('-k' means keep the data and cache directories
)
adb bugreport - return all information from the device
that should be included in a bug report.
adb backup [-f <file>] [-apk|-noapk] [-obb|-noobb] [-shared|-noshared] [-all]
[-system|-nosystem] [<packages...>]
- write an archive of the device's data to <file>
.
If no -f option is supplied then the data is wr
itten
to "backup.ab" in the current directory.
(-apk|-noapk enable/disable backup of the .apks
themselves
in the archive; the default is noapk.)
(-obb|-noobb enable/disable backup of any insta
lled apk expansion
(aka .obb) files associated with each applic
ation; the default
is noobb.)
(-shared|-noshared enable/disable backup of the
device's
shared storage / SD card contents; the defau
lt is noshared.)
(-all means to back up all installed applicatio
ns)
(-system|-nosystem toggles whether -all automat
ically includes
system applications; the default is to inclu
de system apps)
(<packages...> is the list of applications to b
e backed up. If
the -all or -shared flags are passed, then t
he package
list is optional. Applications explicitly g
iven on the
command line will be included even if -nosys
tem would
ordinarily cause them to be omitted.)
adb restore <file> - restore device contents from the <file> backup
archive
adb help - show this help message
adb version - show version num
scripting:
adb wait-for-device - block until device is online
adb start-server - ensure that there is a server running
adb kill-server - kill the server if it is running
adb get-state - prints: offline | bootloader | device
adb get-serialno - prints: <serial-number>
adb get-devpath - prints: <device-path>
adb status-window - continuously print device status for a specifie
d device
adb remount - remounts the /system partition on the device re
ad-write
adb reboot [bootloader|recovery] - reboots the device, optionally into the boo
tloader or recovery program
adb reboot-bootloader - reboots the device into the bootloader
adb root - restarts the adbd daemon with root permissions
adb usb - restarts the adbd daemon listening on USB
adb tcpip <port> - restarts the adbd daemon listening on TCP on th
e specified port
networking:
adb ppp <tty> [parameters] - Run PPP over USB.
Note: you should not automatically start a PPP connection.
<tty> refers to the tty for PPP stream. Eg. dev:/dev/omap_csmi_tty1
[parameters] - Eg. defaultroute debug dump local notty usepeerdns
adb sync notes: adb sync [ <directory> ]
<localdir> can be interpreted in several ways:
- If <directory> is not specified, both /system and /data partitions will be u
pdated.
- If it is "system" or "data", only the corresponding partition
is updated.
environmental variables:
ADB_TRACE - Print debug information. A comma separated list
of the following values
1 or all, adb, sockets, packets, rwx, usb, sync
, sysdeps, transport, jdwp
ANDROID_SERIAL - The serial number to connect to. -s takes prior
ity over this if given.
ANDROID_LOG_TAGS - When used with the logcat option, only these de
bug tags are printed.
For your information, I finally solved the same problem by replacing port 4444 by 5601.
The 2 calls are:
adb forward tcp:5601 localabstract:/adb-hub
and
adb connect localhost:5601
(My Android Wear device is a LG G Watch and my Android tablet is an Asus Nexus 7)
This is easy to solve:
I had the same problem.
Just devide this into two calls.
First enter:
adb forward tcp:4444 localabstract:/adb-hub
hit Enter and after that:
adb connect localhost:4444
Enter and it should connect. If not try first to start the "adb start-server"
try Ip address instead of localhost when connecting
adb forward tcp:4444 localabstract:/adb-hub
adb connect 127.0.0.1:4444
I had this problem as well. After running the above commands in the Command Line, I solved it by activating the Developer Options on my Moto 360 (pressing the build number repeatedly in the settings like the phone). Enabling the ADB and Bluetooth Debugging on the watch and unpairing my watch with my phone.
After I did all these steps my computer finally sent the RSA permissions key for my Android Wear device through my phone.
The Complete solution for this issue..
1. Open Your-sdk-path in Explorer.
2. Open platform-tools.
3. Shift + Rightclick then select Open command window here.
4. adb forward tcp:4444 localabstract:/adb-hub
adb connect localhost:4444 (For Real Device).
5. adb -d forward tcp:5601 tcp:5601 (for EMulator).
Then after connect with emulator in Android wear companion app.
Before Doing step 4 please ensure that debugging over bluetooth is enabled in developer option.
Open Your-sdk-path in Explorer, and then "platform-tools", where it should be your adb.exe , in my case this is ( C:\Users\YourUser\AppData\Local\Android\sdk\platform-tools )
Shift + Rightclick then select Open command window here.
paste "adb forward tcp:4444 localabstract:/adb-hub"
And then paste "adb connect 127.0.0.1:4444" (do not put localhost it is giving problems).
you can check with "adb devices"
I also had issue adb debugging over bluethooth:
Debugging over Bluetooth was always Off for me. Apparently I had to choose a debugging wearable device here:
Android Wear -> Settings (gear icon) -> Debugging over Bluetooth -> Device to Debug
Then all other comments are helpful too.
Tried all of the above, nothing helped.
The one thing that helped me was to restart the phone...
Is there a way a send custom (and event undemanded) arp responses via shell (e.g. by hand or by a shell script) on MacOS X or any other UNIX?
In addition, is there a way of making the software ask for the MAC representation for all IPs in the current subnet without sending pings the anyone?
Yes there is. This kind of activity is used in ARP Spoofing and ARP Poisoning attacks and is preformed for ex. by arpspoof. If You want to discover host's MAC, when You know its IP and it is located in Yours broadcast domain (LAN), use arping. ARP is layer 2 protocol, so it's packets are not forwarded by routers but it's much more reliable then ICMP echo (ping).
Some tools:
arp - standard program (win/unix)
used to list host's IP-MAC address
association cache, which contains
already learnt IPs
arping - unix program which sends ARP
Request for a given IP and displays
MAC contained in received ARP Response
arpspoof - a program from dsniff package generating bogus ARP Responses
A packet generator might do the trick. The wikipedia page links to some implementations but I don't know if they work on OSX.
There are also arp-scan using libpcap; and arpdropper using libnet.
To passively (or actively) sniff your network for ARP packets and display the IP and MAC address of the machine that generated the packet you may use a Mac OS X application called ArpSpyX.
# arpdropper requires http://sourceforge.net/projects/libnet-dev/ to compile
# (libnet & arpdropper successfully compiled on Mac OS X 10.6.8)
curl -LO http://thebends.googlecode.com/svn/trunk/misc/arpdropper.c
gcc -Wall -Wextra -lnet -o arpdropper arpdropper.c
./arpdropper
# Usage: ./arpdropper -i <device> -s <source ip> -d <dest ip>
# For arp replies:
# ./arpdropper -r -i <device> -s <source ip> -m <source mac> -d <dest ip>
# using nmap
# get a pre-compiled Mac OS X version of nmap at:
# http://nmap.org/download.html#macosx or
# http://www.berndsworld.com/downloads/
nmap -PR -oN nmap-arpscan.txt 192.168.0.0/16