1/6/2024 0 Comments Wireshark for androidThis devices constantly makes HTTP(S) requests to the following destinations: This is phone is also a Samsung Galaxy phone and it has a private IP address of 172.18.0.220. Unfortunately I am able to further audit this kind of traffic. Since then there were no new connection which tried to phone home to China. Recently because this phone had issues I decided to do a factory reset and root it. The most interesting parts are the Android permissions it requires. If you want to see more details about the APK then have a look at the analysis done by VirusTotal. The APK names itself as (QQDownloader) which is the Chinese counter part of Google Play. The Common_myapp_download_url points to an APK you can actually download.I do not have anything like that installed. "Common_SocketConnectionTimeout" : 30000, "Common_yyb_wifi_download_Switch" : true, "Common_DownloadReportTimeinterval" : 36000, I only did a pretty print for better readability. Wireshark decoded the gzipped response as well. By the way from the User-Agent, they can also decode the brand and type of the phone, so as the major version of Android it runs.The string qqconnectopen I think is actually referring to Tencent’s Open Platform. The GET request URI sends OS version information and phone brand and type to the requested site.The domain qq.com belongs to Tencent QQ which is a Chinese instant messaging app vendor. Here are the HTTP request and response headers. This devices constantly made requests to destination 203.205.151.21. This phone is a Samsung Galaxy phone and it has a private IP address of 172.18.0.102. It looks like whoever is trying to phoning home to China is probably addressing QQ or Xiaomi servers. Let’s see what information we can get from the HTTP headers and responses. While User Agent can give hints about the application which initiated the connection. The parameters of GET and PUT requests can also reveal the actual traffic. HTTP requests and responses contain a lot of things, like URI of the HTTP request, the server name. Simply following “File → Export objects → HTTP…” already reveals a lot of details. As a first step I made Wireshark to save all HTTP objects from the capture file. Analyzing packet captures with WiresharkĪs it turned out all connection were plain HTTP. If you are interested in, I mounted a remote server’s storage via sshfs on OpenWRT to circumvent the small storage the router has. Albeit I noticed that not all IP address from the list had packets in the pcap. Or host 42.120.158.121 or host 106.11.186.5 or host 106.11.248.98)Īfter more than a week I had enough traffic captured to analyze it with Wireshark. tcpdump -peni any -s 0 -w /path/to/storage/capture.pcap tcp \ Therefore I executed a tcpdump command to save any future traffic matching any IP address from the list I specified.įor your reference, I used this command to capture packets. I was expecting if there is something what phones home to China, it may try again. Packet captures should take place on the router device. Creating packet captures from network traffic The biggest pain point here is for performance and capacity reasons my setup did not collect network packets themselves but only metadata.Īt this point I was only aware of the connections but did not have visibility about their actual content. (I also made some traffic to China from another host during troubleshooting, therefore I excluded that host from the report.) Traffic were initiated by two different Android phones in our household.Even the one which addressed port TCP 443. All traffic took place over plain HTTP which are not encrypted.So as the number of occasions and size of transferred data of the connections. I have a list of IP addresses of servers which are located in China.The starting point for my experiments is getting network details from my network monitoring system to get some insights about traffic. Analyzing packet captures with Wireshark.Creating packet captures from network traffic.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |