Android Wireshark Dissector Installation¶
Android Wireshark Dissector, or in abbreviation, ws_dissector, is
the prerequisite to enable cellular log decoding on the Android.
They should be put under /system/bin to be invoked correctly, for
example:
mount -o remount,rw /system
cp android_pie_ws_dissector /system/bin
chmod 755 /system/bin/android_pie_ws_dissector
Android Wireshark Dissector also relies on Wireshark libraries and GNU Glib libraries to work, so you should at least have these entries in your phone:
# ls -al /system/lib
-rwxr-xr-x root root 2566396 2016-04-01 09:35 libglib-2.0.so
-rwxr-xr-x root root 13384 2016-04-01 09:35 libgmodule-2.0.so
-rwxr-xr-x root root 366084 2016-04-01 09:35 libgobject-2.0.so
-rwxr-xr-x root root 5160 2016-04-01 09:35 libgthread-2.0.so
-rwxr-xr-x root root 59188324 2016-04-01 09:35 libwireshark.so
lrwxrwxrwx root root 2016-04-01 09:34 libwireshark.so.6 -> /system/lib/libwireshark.so
lrwxrwxrwx root root 2016-04-01 09:34 libwireshark.so.6.0.1 -> /system/lib/libwireshark.so
-rwxr-xr-x root root 532436 2016-04-01 09:35 libwiretap.so
lrwxrwxrwx root root 2016-04-01 09:34 libwiretap.so.5 -> /system/lib/libwiretap.so
lrwxrwxrwx root root 2016-04-01 09:34 libwiretap.so.5.0.1 -> /system/lib/libwiretap.so
-rwxr-xr-x root root 165440 2016-04-01 09:35 libwsutil.so
lrwxrwxrwx root root 2016-04-01 09:34 libwsutil.so.6 -> /system/lib/libwsutil.so
lrwxrwxrwx root root 2016-04-01 09:34 libwsutil.so.6.0.0 -> /system/lib/libwsutil.so
To test if the dissector works, the following command (in adb shell) sends a RRC message to ws_dissector:
echo -ne '\x00\x00\x00\xc8\x00\x00\x00\x09\x40\x01\xBF\x28\x1A\xEB\xA0\x00\x00' | android_pie_ws_dissector
If it succeeds, it will decode the message and generates a XML-based RRC result:
<packet>
<proto name="frame" showname="Frame 0: 17 bytes on wire (136 bits), 17 bytes captured (136 bits)" size="17" pos="0">
<field name="frame.encap_type" showname="Encapsulation type: USER 1 (46)" size="0" pos="0" show="46"/>
<field name="frame.number" showname="Frame Number: 0" size="0" pos="0" show="0"/>
<field name="frame.len" showname="Frame Length: 17 bytes (136 bits)" size="0" pos="0" show="17"/>
<field name="frame.cap_len" showname="Capture Length: 17 bytes (136 bits)" size="0" pos="0" show="17"/>
<field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
<field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
<field name="frame.protocols" showname="Protocols in frame: user_dlt:aww:lte_rrc" size="0" pos="0" show="user_dlt:aww:lte_rrc"/>
</proto>
<proto name="user_dlt" showname="DLT: 148, Payload: aww (Automator Wireshark Wrapper)" size="17" pos="0"/>
<proto name="aww" showname="Automator Wireshark Wrapper" size="17" pos="0">
<field name="aww.proto" showname="Protocol: 200" size="4" pos="0" show="200" value="000000c8"/>
<field name="aww.data_len" showname="Data length: 9" size="4" pos="4" show="9" value="00000009"/>
</proto>
<proto name="fake-field-wrapper">
<field name="lte-rrc.PCCH_Message_element" showname="PCCH-Message" size="6" pos="8" show="" value="">
<field name="per.choice_index" showname="Choice Index: 0" hide="yes" size="1" pos="8" show="0" value="40"/>
<field name="lte-rrc.message" showname="message: c1 (0)" size="6" pos="8" show="0" value="4001bf281aeb">
<field name="lte-rrc.c1" showname="c1: paging (0)" size="6" pos="8" show="0" value="4001bf281aeb">
<field name="lte-rrc.paging_element" showname="paging" size="6" pos="8" show="" value="">
<field name="per.optional_field_bit" showname=".1.. .... Optional Field Bit: True (pagingRecordList is present)" hide="yes" size="1" pos="8" show="1" value="FFFFFFFF" unmaskedvalue="40"/>
<field name="per.optional_field_bit" showname="..0. .... Optional Field Bit: False (systemInfoModification is NOT present)" hide="yes" size="1" pos="8" show="0" value="0" unmaskedvalue="40"/>
<field name="per.optional_field_bit" showname="...0 .... Optional Field Bit: False (etws-Indication is NOT present)" hide="yes" size="1" pos="8" show="0" value="0" unmaskedvalue="40"/>
<field name="per.optional_field_bit" showname=".... 0... Optional Field Bit: False (nonCriticalExtension is NOT present)" hide="yes" size="1" pos="8" show="0" value="0" unmaskedvalue="40"/>
<field name="per.sequence_of_length" showname="Sequence-Of Length: 1" hide="yes" size="1" pos="8" show="1" value="40"/>
<field name="lte-rrc.pagingRecordList" showname="pagingRecordList: 1 item" size="5" pos="9" show="1" value="01bf281aeb">
<field name="" show="Item 0" size="5" pos="9" value="01bf281aeb">
<field name="lte-rrc.PagingRecord_element" showname="PagingRecord" size="5" pos="9" show="" value="">
<field name="per.extension_bit" showname=".0.. .... Extension Bit: False" hide="yes" size="1" pos="9" show="0" value="0" unmaskedvalue="01"/>
<field name="per.extension_bit" showname="..0. .... Extension Bit: False" hide="yes" size="1" pos="9" show="0" value="0" unmaskedvalue="01"/>
<field name="per.choice_index" showname="Choice Index: 0" hide="yes" size="1" pos="9" show="0" value="01"/>
<field name="lte-rrc.ue_Identity" showname="ue-Identity: s-TMSI (0)" size="5" pos="9" show="0" value="01bf281aeb">
<field name="lte-rrc.s_TMSI_element" showname="s-TMSI" size="5" pos="9" show="" value="">
<field name="lte-rrc.mmec" showname="mmec: 1b [bit length 8, 0001 1011 decimal value 27]" size="1" pos="9" show="1b" value="1b"/>
<field name="lte-rrc.m_TMSI" showname="m-TMSI: f281aeba [bit length 32, 1111 0010 1000 0001 1010 1110 1011 1010 decimal value 4068585146]" size="4" pos="9" show="f2:81:ae:ba" value="f281aeba"/>
</field>
</field>
<field name="per.enum_index" showname="Enumerated Index: 0" hide="yes" size="1" pos="14" show="0" value="a0"/>
<field name="lte-rrc.cn_Domain" showname="cn-Domain: ps (0)" size="1" pos="14" show="0" value="a0"/>
</field>
</field>
</field>
</field>
</field>
</field>
</field>
</proto>
</packet>
===___===