Mobile Packet Capture Techniques and Architecture for Android Devices

Background: Capturing network packets on computers is commonly done with Wireshark or tcpdump, but this article focuses on mobile packet capture, which is essential for mobile reverse engineering and app development testing on Android devices.

Method I – Starting tcpdump on the phone a. Download the Android version of tcpdump and copy it to the device. b. Connect the phone to a PC and use adb to start the process, saving the capture file on the phone. c. Pull the file to a PC for analysis. Drawbacks: Requires root access and the tcpdump process can affect phone performance, leading to measurement errors.

Method II – Using Fiddler a. Set up a local Wi‑Fi hotspot and connect the phone to it. b. Configure Fiddler to capture traffic on that hotspot. Drawbacks: The hotspot can only support a limited number of devices, making it unsuitable for large‑scale real‑device platforms.

Method III – VPNService‑based capture APK a. Implement an Android VPN service by creating an Activity with UI and a service extending VpnService. Drawbacks: Only one VPN can run at a time, and the APK consumes significant system resources.

Core Technology and Architecture Each test phone connects to a dedicated Wi‑Fi network; that Wi‑Fi is linked to a switch where a service copies the traffic to a specific NIC on server A. Monitoring that NIC yields all captured packets, which can be parsed with standard tools. A simple temporary Wi‑Fi can also be used for ad‑hoc captures.

Implementation Steps a. Connect the test phone to the designated Wi‑Fi. b. On the switch, run a process that copies traffic from the Wi‑Fi to a computer NIC. c. Listen on that NIC and dump packets locally for analysis with Wireshark or similar tools. The solution uses the Go library gopacket , which is built on libpcap.

Advantages - No modifications on the phone, minimal performance impact. - Captured packets are directly analyzable and storable. - Simple, easy to operate, and extensible. Limitation: Phones not connected to the cloud platform cannot be captured.

Technical Effect The web front‑end can start capture requests, display real‑time traffic, and allow downloading of pcap files.

Usage URL http://opentest.360.cn/phonerenter.html

Design Program Flowchart – Purpose The capture service stores real‑time packets into a database, separating them into targetPacket (raw data for pcap files) and showInfo (display fields such as source/destination IP, ports, length, and data). The main process launches three goroutines: (1) receive broadcast messages for capture actions, (2) prune excess packets per phone IP, and (3) invoke the pcap interface to capture and store packets.