0

I'm interesting in making a C# program that could be able to capture network traffic from Android device. Using ADB, I'm able to forward traffic from device to windows standard output. Then, the output will be forwarded to Wireshark which is pre-configured to listen to standard output.

Below is commands I'm using, just in case someone else needs

In the first CMD window

adb shell "tcpdump -n -s 0 -w - | nc -l 11233"

In the second CMD window

adb forward tcp:11233 tcp:11233 && nc 127.0.0.1 11233 | wireshark -k -S -i -

Here is my question.

I'm using SharpPcap to capture network traffic in my program. Currently, I'm able to get packet from my network adapter, i.e. Ethernet or WiFi. But as you can see, network traffic is forwarded from Android device to standard output after this command

adb forward tcp:11233 tcp:11233 && nc 127.0.0.1 11233

And output of this command will be input of the following one as Wireshark is configured to listen to standard output by "-i -"

Each time 2 above commands are executed, one instance of Wireshark window will be opened to capture packets. This could not be applied to my program.

The idea is to open a form using SharpPcap to capture packets from standard output

Does anyone know how to do this? Any other idea is also welcome.

Thanks a lot!!!

Viet-Anh Dinh
  • 75
  • 1
  • 10
  • I'm the author of sharppcap. Do you know what format is used for the stdout passed to wireshark? If you did you could make a c# application that would receive those and pass those along to PacketDotNet for parsing. – Chris Morgan Feb 20 '17 at 12:46
  • Hi Chris. The packet format is totally the same with the case you capture traffic from your LAN. As you can see, stdout is passed directly to wireshark and can be decoded and displayed in wireshark as normal network traffic. If I can get one packet at a time, I guess PacketDotNet could help to parse. But in this situation, I couldn't use ICaptureDevice from SharpPcap to have RawCapture using GetNextPacket() since there's no device here but capturing from STDOUT. Do you have any suggestion? Thanks. – Viet-Anh Dinh Feb 21 '17 at 02:12
  • @ChrisMorgan: I'm having a byte array containing all packets read from STDOUT. I checked several times and my byte array has the same format with pcap log. I guess it could be decoded by using PacketDotNet. Any advice? – Viet-Anh Dinh Feb 22 '17 at 01:47
  • I don't see a good way to get data coming in from stdin routed to pcap. It doesn't look like doing a pcap_open_offline() would accept the file descriptor for stdin. Looking at https://github.com/wireshark/wireshark/blob/93a5c83f0a6e609ec4ba3e55872f9924d59ba38a/dumpcap.c#L123 it looks like that file parses the pcap format manually. I also don't see anything in the pcap man page that looks like it could work here. Thoughts? – Chris Morgan Feb 23 '17 at 20:22
  • Hi. I found my way to capture packets from stdout. 1. Save all output in stdout into a Queue. 2. Extract byte from that queue, convert to Hex, decode time of arrival, length & payload of a packet from Hex. 3. Then use Packet.Net to do the rest. I have tried but there are some exceptions of handling queue. Will post my code here when exceptions are fixed – Viet-Anh Dinh Feb 24 '17 at 01:47
  • @ChrisMorgan: Does SharpPcap support SIP message parser? As far as I observe from code, it does not. Am I right? – Viet-Anh Dinh Feb 24 '17 at 01:49
  • I don't think it does yet either. Those are supported through PacketDotNet though, SharpPcap handles interacting with libpcap/npcap, PacketDotNet handles the packets. – Chris Morgan Feb 24 '17 at 13:15
  • Why convert to hex with the decode? If you could handle the binary data directly and process the header it would be something that could be accepted back into SharpPcap if you'd like to go that route. There are a few ways to decode the binary data, PacketDotNet does it a lot in its packet classes like TcpPacket. – Chris Morgan Feb 24 '17 at 13:27

1 Answers1

0

Can you create a fifo using mkfifo and have nc write to the fifo instead of to stdout? Then just have wireshark read from the fifo instead of from stdin? Something like: 

mkfifo sharkfin
wireshark -k -S -i sharkfin &
adb forward tcp:11233 tcp:11233 && nc 127.0.0.1 11233 > sharkfin

In case wireshark stops capturing and you don't want it to, you can also issue the following command just after launching wireshark to ensure that wireshark never receives EOF.

cat > sharkfin &
Christopher Maynard
  • 5,702
  • 2
  • 17
  • 23
  • Hi Christopher. Of course, Wireshark will always help, even in case of stdout. But the thing is to forward packets to my program. I found my way to capture packets from stdout but seems that it's not enough for my purpose since SharpPcap is not supposed to parse SIP packets. Do you have any idea of how to integrate Wireshark into C# program? – Viet-Anh Dinh Feb 24 '17 at 01:41
  • @Viet-AnhDinh you could potentially implement the SIP parser for PacketDotNet. I'd be open to contracting to implement the parser. – Chris Morgan Feb 24 '17 at 19:59
  • @ChrisMorgan: I found another way in which tshark fits all my needs. I might come back with SIP parser for PacketDotNet after finishing my project. Will contact you at that time. Thanks for inviting. – Viet-Anh Dinh Feb 28 '17 at 09:37