Back in 2014 I had a post on how to cross compile tcpdump for Android to record all network traffic from cellular and Wifi into files for later analysis for Wireshark. I’ve known for a while that it’s also possible to use adb and tcpdump to pipe all network traffic from the smartphone over USB to Wireshark running on a PC for real time tracing. I didn’t really follow up on this since then because most dumping data into a file on the device and later transferring it to the PC was good enough for me. Recently, however, a more real time approach was required and I was actually quite surprised how easy it is to set this up once tcpdump is on the device.
Actually it’s a single command on Linux very similar to using ssh to pipe back tcpdump data from a remote Linux box (note: the final ‘-‘ character is important!):
adb exec-out "tcpdump -i any -U -w - 2>/dev/null" | wireshark -k -S -i -
Obviously adb has to be installed on the PC for this to work in addition to Wireshark. But other than that there’s nothing else, it just worked out of the box for my CyanogenMod based S5 and a few other devices and Android versions I tried.