Capturing mobile phone traffic on Wireshark

android iphone ios networking wireshark

464,331

Solution 1

Here are some suggestions:

For Android phones, any network: Root your phone, then install tcpdump on it. This app is a tcpdump wrapper that will install tcpdump and enable you to start captures using a GUI. Tip: You will need to make sure you supply the right interface name for the capture and this varies from one device to another, eg -i eth0 or -i tiwlan0 - or use -i any to log all interfaces
For Android 4.0+ phones: Android PCAP from Kismet uses the USB OTG interface to support packet capture without requiring root. I haven't tried this app, and there are some restrictions on the type of devices supported (see their page)
For Android phones: tPacketCapture uses the Android VPN service to intercept packets and capture them. I have used this app successfully, but it also seems to affect the performance with large traffic volumes (eg video streaming)
For IOS 5+ devices, any network: iOS 5 added a remote virtual interface (RVI) facility that lets you use Mac OS X packet trace programs to capture traces from an iOS device. See here for more details
For all phones, wi-fi only: Set up your Mac or PC as a wireless access point, then run wireshark on the computer.
For all phones, wi-fi only: Get a capture device that can sniff wi-fi. This has the advantage of giving you 802.11x headers as well, but you may miss some of the packets
Capture using a VPN server: Its fairly easy to set-up your own VPN server using OpenVPN. You can then route your traffic through your server by setting up the mobile device as a VPN client and capture the traffic on the server end.

Solution 2

In addition to rupello's excellent answer, a "dirty" but very effective trick:

For all phones, any (local) network: Set up your PC to Man-In-The-Middle your mobile device.

Use Ettercap to do ARP spoofing between your mobile device and your router, and all your mobile's traffic will appear in Wireshark. See this tutorial for set-up details

Solution 3

Another option which has not been suggested here is to run the app you want to monitor in the Android emulator from the Android SDK. You can then easily capture the traffic with wireshark on the same machine.

This was the easiest option for me.

Solution 4

Wireshark + OSX + iOS:

Great overview so far, but if you want specifics for Wireshark + OSX + iOS:

install Wireshark on your computer
connect iOS device to computer via USB cable
connect iOS device and computer to the same WiFi network
run this command in a OSX terminal window: rvictl -s x where x is the UDID of your iOS device. You can find the UDID of your iOS device via iTunes (make sure you are using the UDID and not the serial number).
goto Wireshark Capture->Options, a dialog box appears, click on the line rvi0 then press the Start button.

Now you will see all network traffic on the iOS device. It can be pretty overwhelming. A couple of pointers:

don't use iOS with a VPN, you don't be able to make sense of the encrypted traffic
use simple filters to focus on interesting traffic
ip.addr==204.144.14.134 views traffic with a source or destination address of 204.144.14.134
http views only http traffic

Here's a sample window depicting TCP traffic for for pdf download from 204.144.14.134:

Solution 5

For Android phone I used tPacketCapture: https://play.google.com/store/apps/details?id=jp.co.taosoftware.android.packetcapture&hl=en

This app was a lifesaver I was debugging a problem with failure of SSL/TLS handshake on my Android app. Tried to setup ad hoc networking so I could use wireshark on my laptop. It did not work for me. This app quickly allowed me to capture network traffic, share it on my Google Drive so I could download on my laptop where I could examine it with Wireshark! Awesome and no root required!

View more solutions

464,331

Xara

Updated on June 26, 2021

Comments

Xara almost 3 years

How can I capture mobile phone traffic on Wireshark?
- Mohammed Javad over 3 years
  
  Windows users can try this stackoverflow.com/a/65774666/10532966
crazy horse about 11 years

how do I figure out the right interface name for the capture for my device (Nexus 7)? Also in the GUI within Shark, what are the right parameters to enter? Thanx
Alexandre Marcondes over 10 years

Can you be more specific on how to do it on at least one platform (Windows, Linux or Mac OS X) ?
mohit almost 10 years

If you are interested in setting up a rogue access point on Windows 7 and above and capture packets using Wireshark, have a look at the steps I put together at mohit.io/blog/… This will work for any device that supports WiFi (Android, iOS, Wii, XBox, etc)
matteo over 9 years

Regarding option 2: that's practically a non-existent option. From their page: "You will need [...] and a RTL8187 based wireless NIC"!!!!
Yury over 9 years

@rupello, could you, please, explain abit more option 7? I managed to install openvpn server on interface "tun0" and managed to connect to this server from my phone. However, I cannot capture packets from this interface using scapy with the command sniff(iface='tun0', count=10)?
rupello over 9 years

@Yury, my OpenVPN installation (the commercial one) creates two adapters for the access server, called as0t0 and as0t1. I capture the user packets using something like "sudo tcpdump -i as0t1 -s 0 -w out.cap"
Yury over 9 years

@rupello, I already configured OpenVPN and scapy for sniffing traffic. There is a config parameter in the server push "redirect-gateway def1"that needs to be enabled. Additionally, in scapy function sniff it is required to use custom filter. In any case, thank you very much!
Nighto about 9 years

For me, the option #3 is the easiest to do simple tasks such as check what calls a certain app does.
Evi1M4chine almost 9 years

Most of those don’t work for packets that never leave the device or if you already use a VPN. So these are useless for solving MTU/fragmentation-related problems.
Evi1M4chine almost 9 years

Won’t work, if your problems only occur when using a VPN (and never end up on the hub/router either).
minipif over 8 years

You can also use Charles proxy on Mac OS, for capturing HTTP traffic, it has a very nice interface and functionalities. You'll need to set up your computer's local IP has a proxy on your phone. It can sniff TLS traffic too, and do it without a warning if you install Charles' certificate on the phone.
Dan Dascalescu about 7 years

There are Android firewall apps that can capture packets without root permissions. For example, LostNet NoRoot Firewall.
Vishal Maral about 7 years

@DanDascalescu Any idea about what approach does Lostnet uses for its working?
dominicbri7 over 6 years

What if I want to do the opposite? Use my usb-connected smartphone to capture my PC's packets? Basically run a wireshark-like software on my Android phone
ransh over 6 years

That's interesting option. Can it handle ssl packets ?
not2qubit over 6 years

Shark is no longer available on Google Play.
user276648 over 6 years

Indeed, it seems to have been removed. The site swapper.n3o.lv also doesn't seem to hold the apks anymore.
Brad almost 6 years

This is only useful for HTTP/HTTPS traffic.
Nic about 5 years

#2 has a dead link.
Himanshu Bansal over 4 years

That VPN not working... no page is opening or data is fetched... having that VPN is like having no internet connection...
pouya over 3 years

The best and the easiest option is this one. Why messing with the phone? rooting, compiling tcpdump to be compatible with ARM CPUs, arpspoofing local network to direct traffic toward ethernet BLAH BLAH BLAH and eventually run wireshark and capture the packets??. Just install the app in an emulator and capture ethernet. easy-peasy
Vaulter almost 3 years

because there are some 3rd party libraries, which could not be changed, but detects that it running on emulator and change its behaviour. And such you need real device.