Monitoring Android Emulator Network Traffic

It might be interesting for several reasons to monitor the network traffic of Android devices to watch the network  behavior of some apps.

This article describes how to monitor network traffic running the Android AVD Emulator on Linux.

Android Studio And AVD Manager

The AVD emulator is part of Android Studio which is Google’s Android the development suite. Thus, it is a prerequisite to install it. You can install it into your home directory, e.g. into ~/android.

After installation you will find two directories there: android-studio which contains the IDE itself and android-sdk-linux which contains all development and build tools.1

You should set up an environment variable ANDROID_HOME which shall point to the sdk directory, e.g. ANDROID_HOME=/home/foouser/android/android-sdk-linux.

Once successfully installed, you can create virtual images. Use the AVD manager which is found either as the command line tool avdmanager or within Android Studio: Tools -> Android -> AVDManager. It is suggested to create an x86-image because it performs much better since it is virtualized and not just emulated.

Create your virtual Android image with it. The images are stored in your home directory at ~/.android/avd.

The AVD Emulator

The AVD emulator is actually based on qemu which is a great emulation and virtualization tool for Linux.

For network traffic we have to run the virtual image from the command line. First try and run the emulator from the command line to see if your image works.

$ANDROID_HOME/emulator/qemu/linux-x86_64/qemu-system-i386 -avd <NAME_OF_AVD>

The emulator shall start your virtual smartphone.

Problably you see the following error message:

Failed to open lib64EGL_translator: [ cannot open shared object file: No such file or directory]
gles2_dispatch_init: Could not load lib64GLES_V2_translator [ cannot open shared object file: No such file or directory]
emulator: ERROR: Could not load OpenGLES emulation library [lib64OpenglRender]: cannot open shared object file: No such file or directory
emulator: ERROR: Could not initialize OpenglES emulation, use '-gpu off' to disable it.

The reason is that the emulator cannot find the shared libraries which are shipped with it in the package.

Thus just add it to the LD_LIBRARY_PATH:

export LD_LIBRARY_PATH=$ANDROID_HOME/emulator/lib64

Run the emulator again, iit should work now.

Set Up A TAP Device

Now let’s setup a TAP device to which we will attach the virtual Android machine and Wireshark 😉

Run the following commands as root:

ip tuntap add name tap0 mode tap
ip link set tap0 up
ip address add dev tap0
ip address add dev tap0

Now we have to setup routing and NAT that the virtual machine is able to access the Internet (you can skip this if you don’t need Internet).
In my example wlan0 is the outgoing network interface of the host computer (the Linux box) and is the IP address of your DNS server (see /etc/resolv.conf). You have to change these values appropriately!

sysctl net.ipv4.conf.all.forwarding=1
iptables -t nat -A POSTROUTING -s -o wlan0 -j MASQUERADE
iptables -t nat -A PREROUTING -d -j DNAT --to-destination

That’s it!

Now run the emulator again and add the networking options to qemu as follows:

$ANDROID_HOME/emulator/qemu/linux-x86_64/qemu-system-i386 -avd <NAME_OF_AVD> -qemu -net nic,model=virtio -net tap,ifname=tap0,script=no,downscript=no

Now you can attach Wireshark to the tap0 device and monitor every packet 🙂

You could even attach mitmproxy 🙂

Have phun watching the dirty traffic of all those apps!

  1. In theory it is possible to develop Android apps just with the SDK and a good editor such as vi 😉


    • Lucian on October 25, 2017 at 9:02 pm

    Trying this with an arm Android image and the emulator binaries gives a segmentation fault. It does not seem to allow me to give it anything other than a default qemu user NIC.
    I would like to only have one guest interface through a bridge and no NAT. Any tips for how I could achieve this?

    1. Do you have a recent installation of Android Studio and the emulator? I use this setup very often (Debian Linux, Kernel 4.9) and it works like a charm.
      Since the emulator connects to the tap device, you could also bridge it directly to the Ethernet with the bridge-utils instead of using iptables and NAT.

      brctl addbr br0
      brctl stp br0 off
      brctl addif br0 tap0
      brctl addif br0 eth0

Comments have been disabled.