All Products
Search
Document Center

How to capture network packets

Last Updated: Jul 15, 2021

Disclaimer: This topic may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products and potential impacts of operations on the products.

Introduction

Networks connect mobile applications. Various network problems cause confusing behaviors and symptoms to mobile applications. You can capture network packet data to analyze various symptoms caused by network problems. Such symptoms include connection interruption, TLS handshake failure, DNS resolution failure, and other errors.

  • Unlike packets that are captured by using the intermediate proxy in Charles or Fiddler, TCP packets are captured in non-intrusive mode. In detail, the network interface controller (NIC) port is monitored to capture images of TCP packets.
  • Generally, the packets can be captured on different devices, such as the client (A), the intermediate device (B), or the server (C), as shown in the following figure.
    points

Tools for capturing TCP logs

Charles and Fiddler can help capture and analyze problems that occur at the HTTP layer. To analyze problems that occur at the TCP/IP layer, you must use the tool for capturing and analyzing TCP packets. Wireshark for Mac and Windows, Network Monitor for Windows, and TCPDUMP are common tools that you can use to capture packets at the network layer. Common network-layer problems include SSL handshake failure, TCP link interruption, and retransmission.

Common packet capturing tools

This topic describes how to use Wireshark and TCPDUMP.

Wireshark

Download and install the tool

Download the installation package on the [Wireshark official website] (https://www.wireshark.org/). Start Wireshark after installation, and the main interface is as follows. Note that the interface versions of Mac and Windows are slightly different.

interface

Start packet capture

On the main interface of Wireshark, you can see the network interface of the local host:

network interface

Take the local host as an example, double-click Wi-Fi: en0 interface and start to capture the packets passing through the network card interface.

start

Stop packet capture
  • To stop capturing packets, click the red Stop button on the menu bar or use the keyboard shortcuts CMD+E.
  • For offline analysis, click the Save button or use the keyboard shortcuts CMD+S.
    Stop

Tcpdump

Tcpdump is a compact analysis tool for packet capture through the command line. Although the ease of use is slightly worse than Wireshark, the benefit is that tcpdump can run on more platforms and environments. Tcpdump is convenient to capture packets directly on the client or server.

Basic usage

Tcpdump supports different parameters in different environments. We recommend that you confirm the currently supported parameter types and usage methods through the man tcpdump command.

Common commands are as follows:

 
  1. // Grab the complete message and write the error to the file
  2. tcpdump -s 0 -w myCapture.pcap

Click here to see more commands.

Packet capture for mobile devices

As shown in the figure at the top of the topic, TCP packet capture for the client can be performed in:

  • Client exit
  • Network access point

This section describes how to capture packets at Point A, which is the client exit.

iOS platform

To capture packets at the iOS client exit, you need to connect the iOS mobile device to the MacBook through USB. Then you need to establish a virtual mapping of the network card on the Macbook. Wireshark uses this virtual network card to capture packets passing through the iOS mobile device.

  1. Get the UDID of the iPhone.
    Connect the iOS mobile device to the Macbook through the USB interface, and then use the following command on the terminal to obtain the UDID of the iOS device as the Serial Number:
 
  1. $ system_profiler SPUSBDataType
 
  1. ![ Serial Number](http://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/pic/159169/AntCloud_zh/1585042893656/Serial%20Number.png)<br />
  2. or through **Xcode* * > **Window** > **Devices and Simulators ** to view UDID as an Identifier. <br />
  3. ![ Identifier](http://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/pic/159169/AntCloud_zh/1585042963863/Identifiler.png)
  1. Create mapping of the virtual network card.
 
  1. $ rvictl -s < Your Device UUID >
  2. Starting device < Your Device UUID > [SUCCEEDED] with interface rvi0
 
  1. ![ mapping](http://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/pic/159169/AntCloud_zh/1585043002193/mapping.png)<br />

where rvi0 is the name of the virtual network card.

  1. Start packet capture. Take Wireshark as an example.
    When you open Wireshark, rvi0 will appear in the local interface list. See the following figure:
    rvi0
    Double-click rvi0 to enter the packet capture interface. By default, packet capture automatically starts.
    start
  2. Stop packet capture.
    After the problem recurs, when you need to stop packet capture, you can perform the following operations. Click the End button on the menu bar or use keyboard shortcuts CMD+E. Then click the Save button or use keyboard shortcuts CMD+S to save the message.
    Stop

Android platform

To capture packets at the Android client exit, you need to obtain the root permission in advance, and use Android Debug Bridge (ADB) to run the tcpdump command.

  1. Download tcpdump for Android .
  2. Install tcpdump. Install tcpdump on the device with the following command and grant the execution permission:
 
  1. adb push tcpdump /data/local/tcpdump
  2. adb shell chmod 6755 /data/local/tcpdump
  1. Start tcpdump to start packet capture.
 
  1. cd /data/local
  2. ./tcpdump -i any -p -s 0 -w /sdcard/myCapture.pcap
 
  1. [Click here](http://www.tcpdump.org/manpages/tcpdump.1.html) to view the detailed parameter configurations of tcpdump.
  1. Stop packet capture and get data.
    After the problem recurs, when you need to stop packet capture, follow the prompts or use keyboard shortcuts Ctrl+C to stop packet capture. Copy the message through the following command:
 
  1. adb pull /sdcard/myCapture.pcap

Packet capture on an intermediate device

As shown in the figure at the top of the topic, TCP packet capture for the client can be performed in:

  • Client exit
  • Network access point

This section introduces the packet capture method at Point B, which is the entrance of the access device.

  1. Network topology configuration for packet capture A common network link configuration for this packet capture mode is as follows:
    When you use a Macbook or PC as the packet capture device, your device needs to be configured with dual network cards in advance. Note that one of the network cards needs to have the ability to transmit wireless hotspots. The client is connected to the configured wireless hotspot through Wi-Fi, and another network card of the Macbook or PC is connected to the network normally.
    topology
  2. Start packet capture. Take Wireshark as an example.
    Open Wireshark, then find the wireless hotspot network card connected to the mobile phone, which is shown as the network card 1 in the preceding figure. Then double-click the network card icon to start packet capture.
  3. Stop packet capture.
    After the problem recurs, when you need to stop packet capture, perform the following operations. Click the End button on the menu bar or use keyboard shortcuts CMD+E. Then click the Save button or use keyboard shortcuts CMD+S to save the message.
Note: There may be many types of intermediate devices, and this section describes one of intermediate devices for example. In practice, you can use different tools to perform the same type of packet capture jobs on different devices. We recommend that you capture packets on the first connected device to avoid interference in the intermediate process.

Packet capture on a server

As shown in the figure at the top of the topic, some problems require packet capture on the server. This section takes tcpdump as an example.

  1. Install tcpdump.
    • Install on CentOS:
 
  1. yum install tcpdump
 
  1. - Install on Debian and Ubuntu:
 
  1. apt-get install tcpdump
 
  1. You can go to [tcpdump official website](https://www.tcpdump.org/) for more details.
  1. Start packet capture.
    Tcpdump has many configurable parameters, which can be configured according to specific scenarios.
 
  1. tcpdump -s 0 -w myCapture.pcap
 
  1. For more parameters, see [tcpdump official document](https://www.tcpdump.org/#documentation).
  1. Stop packet capture.
    After the problem recurs, when you need to stop packet capture, press Ctrl+C to stop the packet capture and save the captured message to a suitable path.