17

I would like to capture with wireshark one of the Android application's http messages.

I was trying to filter to android's ip address, then mac address without success. I'm sure the solution would be simply, but I couldn't figure it out yet.

b4l4zs
  • 301
  • 1
  • 2
  • 7

2 Answers2

19

Genymotion VMs have two network adapters in the underlying VirtualBox configuration. Which one you should capture on depends on what you're looking for. Also, some of the details (adapter names, etc.) depend on what OS you're using. However, the concepts are identical.

Adapter 1, usually vboxnet0 if you're on Ubuntu, is a host-only adapter used to support local interactions between the host and the VM. In the default Ubuntu setup, this is the 192.168.56.0 network. The host machine is 192.168.56.1 and the VM usually ends up getting 192.168.56.101 from VirtualBox's built-in DHCP server. This connection is used by the Android Debug Bridge (ADB) to connect development tools with the VM. For example, this is how Eclipse ADT and Android Studio are able to communicate with the VM for installing APKs, etc. When you do adb shell you are also connecting over this network. If you want to examine how your dev tools are communicating with your VM, capture on vboxnet0 (or equivalent).

Adapter 2 is normally NATed to your host's network connection, usually something like eth0 or wlan0 on Ubuntu. This enables Internet access for the VM. If you want to see how your VM is interacting with the local network or Internet, capture against your host's main network adapter. Unfortunately, when the VM is NATed, your VM traffic will have the same IP as your host, making it difficult to filter. If this causes a problem, shut down your VM, open VirtualBox directly (i.e., no Genymotion launcher), change Adapter 2 to "Bridged Adapter", and select the current active host adapter in the VM's network configuration. If your local LAN uses DHCP (likely), this will allow the VM to get it's own IP which you can then filter on in Wireshark. Once you restart the VM (from the Genymotion Launcher), you can find out what address it's been assigned with adb shell ifconfig from the host. Look for eth1 which corresponds to VIrtualBox Adapter 2 (eth0 is for the adb connection over VirtualBox Adapter 1).

Paul Ratazzi
  • 6,289
  • 3
  • 38
  • 50
  • 1
    Thanks for the description about adapters. I'd like to capture the Andorid VM's network messages, so based on your comment I changed Adapter 2 to Bridged in VirtualBox. After using Bridged Adapter, Android can't connect to WiredSSID (with none of the adapter name). – b4l4zs Apr 18 '15 at 15:26
  • Does the network your host is connected to use DHCP? – Paul Ratazzi Apr 18 '15 at 15:53
  • Yes, DHCP is enabled on the router. – b4l4zs Apr 18 '15 at 17:02
  • Make sure that you are bridging to the correct host adapter. This is selected with the _Name:_ pulldown on the _Adapter 2_ tab. On my Ubuntu system there are three choices: `eth0` (hardline Ethernet adapter), `eth1` (USB Ethernet for my tethered hotspot), and `wlan0` (WiFi). In order for the VM to have Internet access, I have to change this to whatever connection I am using before starting the VM from Genymotion. Also, FWIW, I have `virtio-net` selected for _Adapter Type:_ (under _Advanced_). – Paul Ratazzi Apr 20 '15 at 13:40
  • I am also unable to get an assigned IP address on the VM, for some reason. I don't have access to the router so maybe there's a mac filter but I don't know anything about it. I've also tried this to no avail: http://scrumsofanarchy.com/capturing-traffic-from-genymotion-or-any-other-virtual-box-based-emulator-without-a-proxy/ – julien_c Feb 13 '18 at 20:39
  • Hm. Because of the age of this answer, I decided to try the setup again to see if maybe something changed with Genymotion. Today I am on Win10 running Genymotion Launcher 2.11.0, VirtualBox 5.2.6, and my VM is a Nexus 5X running Android 7.1.0. To sniff the Internet traffic of the VM, I changed Adapter 2 to "Bridged" and pointed it at the wired Ethernet adapter of my laptop, which is how I am currently connected. When I started the VM, it picked up an address different than my laptop's and I was able to run Wireshark on the Ethernet adapter, with an ip.addr filter on the VM's address. – Paul Ratazzi Feb 13 '18 at 21:17
  • I also just tried this with my WiFi adapter and it seems to work there as well. BTW, you can check your VM's address using `ifconfig` at the VM's shell prompt. There should be two: `eth0` corresponding to VirtualBox Adapter 1 (this is the Host Only adapter for `adb` connection) and `eth0` corresponding to VirtualBox Adapter 2 (the NAT or Bridged Adapter for Internet connection). – Paul Ratazzi Feb 13 '18 at 21:25
  • But apparently that doesn't let one capture (or rather decrypt) https traffic. – x-yuri Sep 06 '19 at 13:39
0

If you use Genymotion, capturing traffic between Host (i.e your machine) and Guest (i.e Genymotion Emulator) is very simple.

  1. As Gennymotion uses Virtualbox to create Virtual Environment, you can find vboxnet0 interface listed in wireshark, select it and record all traffic flowing between Guest (Genymotion) and Host (Your System).

WireShark Interface List

  1. In case if you dnt want to use WireShark to monitor traffic, you can also use Fiddler and configure proxy settings in Genymotion (Adding Proxy steps documented in Genymotion docs) towards Fiddler-running machine IP address and port.

  2. And in Fiddler to capture traffic make this setting: Tools menu > Fiddler Options > Connections and tick the Allow Remote Computers to connect box, than restart Fiddler.

Harsh Dattani
  • 2,109
  • 1
  • 17
  • 27