Receiving captured packets in Wireshark from PCAP Remote running on Android emulator

Accessing the PCAP Remote SSH server running on Android emulator is a bit tricky since the emulator network is not directly accessible from the host machine. To make Wireshark be able to connect to PCAP Remote we need to enable port forwarding.

To do that, go to the platform-tools directory in your Android SDK directory. Then, run the bellow cmd:

adb forward tcp:15432 tcp:15432

Now, you can connect to the SSH server if you specify the connection details in Wireshark as follows:

host: 127.0.0.1
port: 15432

PCAP Remote

Today I’m releasing an initial version of my Android app called PCAP Remote. The app is a non-root network sniffer that allows you to debug and analyze traffic in Wireshark on the fly using the app’s built-in SSH server, which is useful and often a must when developing Android software solutions that use complex/custom network protocols.

Although the app is primarily designed to be used in conjunction with Wireshark, other similar tools can also be used as packets are captured in the commonly used pcapng format.

Let me know if you have any ideas/issues.
email: egorovandreyrm@gmail.com

Download from Play
Tutorial

PcapNg Decryption Secrets block

PcapNg is a new file format to store captured packets. Decryption Secrets block is one of the most interesting features of it.

Decryption Secrets block allows Wireshark and other similar tools to decrypt TLS traffic. Specifying Key log file or RSA keys is not needed in this case. The block is effectively is a key log file embedded in a pcapng file. Details can be read in the pcapng format document: https://github.com/pcapng/pcapng

To support the feature in my android application, I developed a simple lib for writing pcapng blocks, that has only 4 functions. The lib can be found here: https://github.com/egorovandreyrm/pcapng_dsb
An example of using the lib is included in the repository.

The API of the lib looks the following way:

size_t write_section_header_block(uint8_t *out_buffer, size_t out_buffer_len);

size_t write_network_interfaces_description_block(
    uint32_t snapshot_max_len, uint8_t *out_buffer, size_t out_buffer_len);

size_t write_enhanced_packet_block(
    const uint8_t *packet,
    const size_t packet_len,
    uint8_t *out_buffer,
    size_t out_buffer_len);

size_t write_decryption_secrets_block(
   const uint8_t *tls_key_log,
   const size_t tls_key_log_len,
   uint8_t *out_buffer,
   size_t out_buffer_len);

if out_buffer is NULL, the functions do nothing but return the size that out_buffer is required to have.

Decryption secrets block has to be written prior to any packet blocks that require the secrets.

A typical usage would be:

write_section_header_block(); // every pcap file needs this block 
write_network_interfaces_description_block() // every pcap file needs this block 

write_enhanced_packet_block() // syn
write_enhanced_packet_block() // syn ask
write_enhanced_packet_block() // ask
write_enhanced_packet_block() // client hello
write_enhanced_packet_block() // ask
write_enhanced_packet_block() // server hello
write_enhanced_packet_block() // ask

write_decryption_secrets_block() // tls key log file

// any packets that are written after Decryption Secrets block can be decrypted
write_enhanced_packet_block()
write_enhanced_packet_block()

Compiling libssh for Android

As libssh does not provide official android support, compiling it for Android is a bit tricky. In this post, I’m providing my solution. Boringssl is used as the ssl lib.

The building script is developed for Linux but could be easily adapted for Windows, I think.

libssh android build scripts along with all the other stuff can be found here.
Compiled libssh and boringssl libs git repository can be found here.

The solution is based on a project called multipass (https://github.com/CanonicalLtd/multipass/tree/master/3rd-party/libssh) and some posts from https://www.libssh.org/archive/libssh/2015-11/0000011.html

The multipass project uses its own libssh, which is pretty much the same thing.

Using the libs in a cmake project looks like:

 target_link_libraries(pcapremote  
     ${log-lib}  
     ${PROJECT_SOURCE_DIR}/ext_libs/${ANDROID_ABI}/libssh.a  
     ${PROJECT_SOURCE_DIR}/ext_libs/${ANDROID_ABI}/libssl.a  
     ${PROJECT_SOURCE_DIR}/ext_libs/${ANDROID_ABI}/libcrypto.a  
     ${PROJECT_SOURCE_DIR}/ext_libs/${ANDROID_ABI}/libdecrepit.a  
     ${PROJECT_SOURCE_DIR}/ext_libs/${ANDROID_ABI}/libssh-boringssl-compat.a  
     ${z-lib})

Make sure you link libssh-boringssl-compat.a lib to your project.