|
Android tcpdump TCP 抓包 [TOC] 常用抓取命令 adb shell rm /sdcard/capture.pcap adb shell /data/local/tcpdump -i any -p -s 0 -w /sdcard/capture.pcap adb pull /sdcard/capture.pcap capture.pcap 安装 使用准备设备需要root权限 tcpdump 二进制文件 wireshark 分析工具 https://www.wireshark.org/ adb shell, su获得root权限 tcpdump 需要在命令行运行目录中存在 adb push tcpdump /data/local/tcpdump adb shell chmod 6755 /data/local/tcpdump 使用 tcpdump cd /data/local ./tcpdump -i any -p -s 0 -w /sdcard/capture.pcap拉取抓获的tcp/udp包 adb pull /sdcard/capture.pcap用wireshark打开capture.pcap即可分析log tcpdump 参数说明 # "-i any": listen on any network interface # "-p": disable promiscuous mode (doesn't work anyway) # "-s 0": capture the entire packet # "-w": write packets to a file (rather than printing to stdout) ... do whatever you want to capture, then ^C to stop it ... 错误处理 Android5.0系统下用tcpdump抓包失败在Android5.0系统下用tcpdump抓包失败,欧博官网但是在5.0之前的系统上可以正常抓包 error: only position independent executables (PIE) are supported.这是由于PIE安全机制所引起的,从Android4.1开始引入该机制 PIE机制它会随机分配程序的内存地址从而令攻击者更难发现程序的溢出漏洞 PIE机制详细介绍 https://en.wikipedia.org/wiki/Position-independent_code Android L之前的系统版本并不会去检验可执行文件是否基于PIE编译出的 因此低于Android L 以前不会报错 但是Android L已经开启验证,如果调用的可执行文件不是基于PIE方式编译的,欧博则无法运行 编译的时候加上如下的flag就行 LOCAL_CFLAGS += -pie -fPIE LOCAL_LDFLAGS += -pie -fPIE adb shell 不是root用户有些机器root后通过adb shell 后,默认不是root用户,需要输入 su才能切换到root 安装 su 需要自己破解root adb shell "su -c 'sleep 1'" adb start-server adb push tcpdump /data/local/tcpdump adb shell su -c "/data/local/tmp/tcpdump -i any -p -s 0 -w /sdcard/netCapture.pcap" 安装脚本使用脚本前,需要注意这个脚本要求 adb 进入就是root权限,你可以使用adb root获取 #!/bin/bash shell_script_path=$(cd `dirname $0`; pwd) tcpdump_local_path="${shell_script_path}/tcpdump" if [ ! -f "${tcpdump_local_path}" ]; then cd ${shell_script_path} curl -O echo -e "download tcpdump at path ${shell_script_path}" fi if [ -f "${tcpdump_local_path}" ]; then echo -e "findout tcpdump ${tcpdump_local_path}" else echo -e "download tcpdump fail" exit 1 fi adb push "${tcpdump_local_path}" /data/local/tcpdump adb shell chmod 6755 /data/local/tcpdump echo -e "install tcpdump success" echo -e "You can use like adb shell as root! cd /data/local/ ./tcpdump -i any -p -s 0 -w /sdcard/capture.pcap Then exit shell adb pull /sdcard/capture.pcap . " echo -e "Do you want delete tcpdump file (y) ?" read isDeleteDownload if [ ${isDeleteDownload} == "y" ]; then rm -f ${tcpdump_local_path} echo -e "success remove ${tcpdump_local_path}" fi (责任编辑:) |