Trying to understand packets captured with tcpdump

599 views Asked by At

So I have intercepted a packet being sent from my android device to an apps server. I want to understand what my phone is sending to the server.

I have rooted the phone, and install tcpdump on it. I have used adb shell to run:

tcpdump -n -i wlan0 -w OUTPUT_FILE src host IP_ADDRESS and greater 200

I have gotten the packet on my pc and run it through wireshark.

Packet analysis

I have been told that the long list of "........" prevalent in the ascii section is because there is no ascii representation of the specific HEX.

Is that true?

I have been able to determine the packet is not encrypted, because I can see clear text strings in the ascii that I type in the app.

I am guessing the data is either binary OR base64 encoded JSON, converted to hex and sent to the server. Is there any step I can take to further understand the structure of the data sent from my device to the remote server?

Any other tips, or random insights would be super helpful.

1

There are 1 answers

3
kaitoy On

Is that true?

Yes.

Is there any step I can take to further understand the structure of the data sent from my device to the remote server?

The captured packet includes an Ethernet Ⅱ header and an IPv4 header and a UDP header as follows:

Ethernet Ⅱ: from 20:e5:2a:4f:b9:4f (NETGEAR) to 44:80:eb:ea:ef:9b (Motorola)
IPv4: from 169.55.244.58 to 192.168.1.12, not fragmented
UDP: from port 14242 to port 48818, payload length=1406 bytes

The right chunk of the 3rd line (i.e. bb 19 43 4f 02 c8 2b a3) is the start of the application data. To analyze the application data, you need to know what protocol the application used to send the packet and to learn the protocol.