Android 抓包分析

工具准备：

1. adb

2. tcpdump

3. wirshark

步骤：(下面仅适用于模拟器)

1. adb root

2. adb push c:\tcpdump /data/local/tcpdump
3. adb shell

4 # chmod 6755 /data/local/tcpdump /*修改读写权限*/

5.开始抓包

# cd /data/local

# ./tcpdump -p -vv -s 0 -w /sdcard/capture.pcap
/****************

"-p": disable promiscuous mode (doesn't work anyway)
"-s 0": capture the entire packet

"-w": write packets to a file (rather than printing to stdout) ...

do whatever you want to capture, then ^C to stop it ...

****************/

6. 导出pcap包，新开一个cmd:
adb pull /sdcard/capture.pcap c:\123.pcap

7. 用wirshark打开c:\123.pcap就可以分析了

步骤：(下面适用于真机)
1. ROOT真机

2. adb push d:\tcpdump /data/local/tcpdump
如果出现：
failed to copy 'd:\tcpdump' to '/data/local/tcpdump': Permission denied
那么选择其他能够push的文件夹，如sdcard
adb push d:\tcpdump /mnt/sdcard/tcpdump

3. adb shell
4. $ su
真机会显示shell已获得root权限，并且"$"变为"#"

5. shell@android:/ # cd /mnt/sdcard
cd /mnt/sdcard
6. shell@android:/mnt/sdcard # ./tcpdump

如果出现：
sh: ./tcpdump: cannot execute - Permission denied
那么要修改读写权限，注意在shell模式下是无法用chmod的，应该参照 http://blog.csdn.net/lassur/article/details/6563428
采用：mount命令
7. 1|shell@android:/mnt # mount -t yaffs2 -o remount,rw,noatime,nodiratime /mnt/sdcard
w,noatime,nodiratime /mnt/sdcard                                              <

8. shell@android:/mnt/sdcard # ./tcpdump -p -vv -s 0 -w /sdcard/capture.pcap
./tcpdump -p -vv -s 0 -w /sdcard/capture.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Got 481

9. 打开新的终端，导出： adb pull /mnt/sdcard/capture.pcap  d:\
10. 用wirshark分析
NOTE： 上面的push和pull过程也可以通过eclipse的DDMS来操作完成。