In a previous post I described how to use a Raspberry Pi as Wi-Fi access point and how to trace the data traffic of my smartphone in real time using tcpdump and netcat. The next logical step is of course to directly trace the network traffic on the smartphone. This has the big advantage that it's not only possible to trace the Wi-Fi traffic but also traffic that goes over the cellular interface. I've laid the foundations for this a couple of weeks ago by installing CyanogenMod on my Samsung Galaxy S4. Unfortunately, though, CyanogenMod does not include tcpdump in its standard image.
There are some sources on the net that provide pre-compiled tcpdump executables for Android but since these are not well known I had a hard time trusting them. Not that I think they are not trustworthy but I just don't know them at all. So I had to find a way to get a trusted executable. At first I thought that I could perhaps use a tcpdump executable from one of my Raspberry Pis as they also run on an ARM processor. That would have probably worked if the Raspberry Pi used static linking for it's executables, i.e. bundling all libraries required into the file which is required for Android. Raspian, like most other Linux distributions, I imagine, however, uses dynamic linking with the libraries in separate directories. O.k. so that was not an option.
After doing some more research I came across a 3 piece post over on the Symantec blog (see here, here and here) that explains in detail how to cross compile tcpdump for Android from the original sources on a Debian system. Fortunately I had something close to this, an Ubuntu 12.04 in a virtual machine on which I can easily try things without backing anything by creating a VM snapshot to which I could restore later-on to undo all changes. It turned out that cross-compiling the sources is not very difficult at all as only the original source and the gnu cross compiler. As I was using Ubuntu I had to install additional packages which is not described in the Symantec posts but the error messages are quite straight forward. Also, I had to set 'LDFLAGS=-static' in the tcpdump 'Makefile' as mentioned in the comments to the third part of Symantec's description.
And here's the command to trace the cellular interface once tcpdump is up and running on your Android phone and to save the traffic into a file on the SD card:
tcpdump -n -i rmnet_usb0 -s 65535 -w /storage/sdcard1/trace.pcap
Happy tracing on Android!