Creating a PCAP file on an Android devices (root/non-root)

 

Capturing network traffic and saving it as a PCAP file is a common practice for log analysis, debugging, and security auditing. Below is a comprehensive guide for both rooted and non-rooted Android devices, including the use of Termux and VPN-based solutions.

---

For Rooted Devices

Rooted devices provide more flexibility as you can directly access low-level network interfaces. The following methods are recommended:

Method 1: Using tcpdump

2. Install tcpdump:

• Download the tcpdump binary:

  wget https://www.tcpdump.org/release/tcpdump-4.99.4.tar.gz
  

• Extract and install:

  tar -xvf tcpdump-4.99.4.tar.gz
  cd tcpdump-4.99.4
  ./configure
  make
  make install
  

• Alternatively, you can copy a precompiled tcpdump binary to your phone using ADB:

  adb push tcpdump /data/local/tmp/
  adb shell chmod +x /data/local/tmp/tcpdump
  

2. Run tcpdump:

• Open a terminal app (like Termux or a terminal emulator).
• Run tcpdump to capture packets:

  /data/local/tmp/tcpdump -i any -w /sdcard/capture.pcap
  

• Stop the capture with Ctrl+C.

3. Transfer the PCAP File:

• Use ADB or file transfer to copy the file to your computer for analysis:

  adb pull /sdcard/capture.pcap
  

---

Method 2: Using Shark for Root

Shark for Root is a graphical frontend for tcpdump.

Steps:

1. Install Shark for Root from a trusted APK source.
2. Open the app and start capturing packets.
3. Save the capture when done.
4. Transfer the PCAP file to your computer for analysis.

---

For Non-Rooted Devices

Non-rooted devices can still capture traffic using apps that leverage a local VPN interface. However, these methods may have limitations (e.g., inability to capture traffic outside the app scope).

Method 1: Using Packet Capture

Packet Capture is an Android app available on the Play Store.

Steps:

1. Install Packet Capture from the Play Store.
2. Launch the app and start capturing traffic.
3. If capturing HTTPS traffic, follow the instructions to install the app’s SSL certificate.
4. Stop the capture and save the file as a PCAP.
5. Transfer the PCAP file to your computer for further analysis.

---

Method 2: Using tPacketCapture

tPacketCapture is another non-root option available on the Play Store.

Steps:

1. Install tPacketCapture.
2. Launch the app and start capturing.
3. Save the log in PCAP format.
4. Transfer the file for analysis.

---

Using Termux for PCAP Capture

Termux allows for terminal-based operations on non-rooted or rooted devices.

For Rooted Devices in Termux

1. Install tcpdump in Termux:

   pkg install tcpdump
   

2. Run tcpdump:

   tcpdump -i any -w /sdcard/capture.pcap
   

   • Replace /sdcard/capture.pcap with your desired file path.

3. Stop the Capture:

   • Use Ctrl+C to end the process.

4. Transfer the File:

   adb pull /sdcard/capture.pcap
   

For Non-Rooted Devices in Termux

Non-rooted Termux users can use VPN-based apps to capture traffic while managing the PCAP files in Termux.

---

Analyzing HTTPS Traffic

Decrypt HTTPS Traffic

1. Install the capturing app’s SSL certificate.
2. Configure your network or browser to trust the certificate.
3. Use tools like Wireshark to decode HTTPS streams.

---

Transfer and Analysis

Transfer PCAP File:

• Use ADB:

  adb pull /sdcard/capture.pcap
  

• Or upload to cloud storage (Google Drive, Dropbox).

Analyze with Wireshark:

1. Open Wireshark on your computer.
2. Load the PCAP file:

   File -> Open -> Select capture.pcap
   

3. Analyze the captured traffic using filters and protocols.

---

This guide provides detailed instructions for both rooted and non-rooted devices, covering a range of tools and methods.