TCPDump dumping something in background

[braintweaker]

In the latest weekly I've noticed batterydrain. To determine the process being in memory and using CPU I used app, showing all processes. What I've noticed concerned me:

While its not the reason of drain, there is a process gathering info about all the connections, logging 50 first bytes of every packet.
Upon inspecting the directory mentioned, there are 2 pcap files: tcpdump.pcap0, tcpdump.pcap1.

I've noticed that other people have already discovered this on xda and 4pda, also some mentions were on this forum from 2018: https://xiaomi.eu/community/threads/8-2-1.43229/post-408497

So the question is: is this some debug info being left and being sent by some other app to xiaomi?
What is the correct way to disable it?

 

[redispade]

After trying to make a magisk patch for that, I simply rebooted into twrp, and renamed tcpdump. Living happily until friday, and either they fix it, or I rename it again

 

[braintweaker]

I know dev team from xiaomi.eu is famous for stripping out all the bloatware, so maybe xiaomi.eu devs can comment on that?
@ingbrzy ?

 

[Igor Eisberg]

I know dev team from xiaomi.eu is famous for stripping out all the bloatware, so maybe xiaomi.eu devs can comment on that?
@ingbrzy ?

Already removed. No idea what the purpose of this dumping is, but it can be easily disabled using this command using ADB in TWRP (after mounting system and vendor partitions):

adb shell find /system /vendor -type f -name 'init.qcom.rc' | xargs -r sed -i '/start \(tcpdump\|sniffer\)/d'

 

[redispade]

Already removed. No idea what the purpose of this dumping is, but it can be easily disabled using this command using ADB in TWRP (after mounting system and vendor partitions):

adb shell find /system /vendor -type f -name 'init.qcom.rc' | xargs -r sed -i '/start \(tcpdump\|sniffer\)/d'

I removed 3 files from vendor to make wireless logging stop, it actually stopped capturing with tcpdump, but there were like 3-4 30mb files of logs in /data/vendor/wifi_logs/ that stopped by renaming these files. No side effects. Did you also remove them ?
/vendor/bin/cnss_diag
/vendor/bin/ipacm-diag
/vendor/bin/tcpdump

 

[Igor Eisberg]

I removed 3 files from vendor to make wireless logging stop, it actually stopped capturing with tcpdump, but there were like 3-4 30mb files of logs in /data/vendor/wifi_logs/ that stopped by renaming these files. No side effects. Did you also remove them ?
/vendor/bin/cnss_diag
/vendor/bin/ipacm-diag
/vendor/bin/tcpdump

I don't rename/remove any files, I prevented the tcpdump service from auto-starting. Didn't touch cnss_diag or ipacm-diag.

 

[braintweaker]

Thank you, much appreciated!

 

[braintweaker]

Already removed. No idea what the purpose of this dumping is, but it can be easily disabled using this command using ADB in TWRP (after mounting system and vendor partitions):

adb shell find /system /vendor -type f -name 'init.qcom.rc' | xargs -r sed -i '/start \(tcpdump\|sniffer\)/d'

I'm sorry Igor, but I've installed the latest 9.8.29 version from sourceforge and it looks like the fix is not included - the tcpdump process still runs.

Is the fix included somewhere else?

 

[Igor Eisberg]

I'm sorry Igor, but I've installed the latest 9.8.29 version from sourceforge and it looks like the fix is not included - the tcpdump process still runs.

Is the fix included somewhere else?

By the time I disabled tcpdump, certain 9.8.29 ROMs were already built. We're not going to rebuild them for something as minor as this.
For the reset of devices that didn't get a ROM yesterday, the change will be applied.

 

[braintweaker]

We're not going to rebuild them for something as minor as this.

Quite explainable! Thank you.

 

[moreroid]

Hi,
still exist in current releases

curtana:/ # getprop ro.build.fingerprint_real
Redmi/curtana_global/curtana:10/QKQ1.191215.002/V11.0.10.0.QJWMIXM:user/release-keys/1595409748

curtana:/ # ps -ef | grep tcpdump | grep -v grep
root          3506     1 0 15:39:14 ?     00:00:00 tcpdump_v2 -i any -W 2 -C 2 -s 134 -w /data/vendor/wlan_logs/tcpdump.pcap

curtana:/ # find /vendor -type f -exec grep -H /system/bin/tcpdump_v2 {} \;
/vendor/etc/init/hw/init.target.rc:service vendor.tcpdump /system/bin/tcpdump_v2 -i any -W 2 -C 2 -s 134 -w /data/vendor/wlan_logs/tcpdump.pcap
/vendor/etc/init/hw/init.target.rc:service sniffer /system/bin/tcpdump_v2 -i wlan0 -w /sdcard/wlan_logs/sniffer.pcap

curtana:/ # ls -al /data/vendor/wlan_logs/*pcap*
-rw-rw-rw- 1 root root 1005917 2020-07-28 16:15 /data/vendor/wlan_logs/tcpdump.pcap0
-rw-rw-rw- 1 root root 2000102 2020-07-28 15:42 /data/vendor/wlan_logs/tcpdump.pcap1