Advanced Network Monitor

Overview

Using Network Monitor, it is possible to specify a process to monitor. This is useful for monitoring the network activity of a specific process for runtime device monitoring.

Note: This feature is available to users with Business Enterprise and higher licenses.

Monitoring network activity for a process

Using the Corellium UI

To start monitoring network activity for a particular process, you'll need to start your device with "process monitoring enabled". You can find this in the power dropdown while the device is off.

Netdump 1

From here, go to Network Monitor in the Corellium UI and switch to "All Network Traffic" mode.

Netdump 2

You now have the ability to approach this from two different angles:

Server-side filtering: you can start monitoring a specific process and then filter down to the network traffic you're interested in.
Client-side filtering: you can start monitoring all network traffic and then filter down to the process you're interested in.

Server-side filtering

To start monitoring a specific process, click "Configure".

Netdump 3

From here, you can select the IP, Process, Port and/or PID you're interested in.

Netdump 4

When you're ready, Press "Start Monitoring" to start monitoring.

Netdump 5

Client-side filtering

Once you have started monitoring some network traffic, you can filter down to the process you're interested in by clicking "Filter results" button.

Netdump 6

Here you can select the Protocol, Source, Source Port, Destination, Destination Port, Process and/or PID you're interested in.

Netdump 7

Filters apply automatically, so you just need to hit "Close" to see the results.

Netdump 8

Note: client-side filters only exist in the browser and do not apply to downloaded PCAP files.

Downloading results

To download the results, click "Download". This will generate a PCAP (specifically, pcap-ng) file that you can open in Wireshark or other tools.

Netdump 9

Using the REST API

Use the following endpoints from our REST API:

Start monitoring: /v1/instances/:instanceId/netdump/enable
Stop monitoring: /v1/instances/:instanceId/netdump/disable
Download PCAP file: /v1/instances/:instanceId/netdump.pcap

Using the JavaScript API (legacy)

Use the following endpoints from our legacy JavaScript API:

Create NetDump instance: newNetdump()
Start monitoring: netdump.start()
Stop monitoring: netdump.stop()
Download PCAP file: instance.downloadPcap()

Using the new JavaScript API

Use the following endpoints from our new JavaScript API:

Start monitoring: v1StartNetdump(instanceId, opts)
Stop monitoring: v1StopNetdump(instanceId)
Download PCAP file: v1InstancesInstanceIdNetdumpPcapGet(instanceId)

Here is a simple example to start and stop Netdump:

var { ApiClient, CorelliumApi } = require('@corellium/client-api');

var defaultClient = new ApiClient('https://app.corellium.com/api');
// Configure Bearer (ApiToken or JWT) access token for authorization: BearerAuth
var BearerAuth = defaultClient.authentications['BearerAuth'];
BearerAuth.accessToken = '[access_token]';
// BearerAuth.accessToken = process.env.CORELLIUM_API_ACCESS_TOKEN;

var api = new CorelliumApi(defaultClient);
var instanceId = '[instance_id]';

api.v1StartNetdump(instanceId).then(() => {
  console.log('Started Netdump');
  setTimeout(() => {
    api.v1StopNetdump(instance).then(() => {
      console.log('Stopped Netdump')
    }).catch(error => console.error(error))
  }, 10000)
}).catch(error => console.error(error))

Using the Python API

Use the following endpoints from our Python API:

Start monitoring: v1_start_netdump(instance_id, netdump_filter=netdump_filter)
Stop monitoring: v1_stop_netdump(instance_id)
Download PCAP file: v1_instances_instance_id_netdump_pcap_get(instance_id)

Here is a simple example to start and stop Netdump:

import asyncio
import time
import corellium_api
from corellium_api.rest import ApiException

# The client must configure the authentication and authorization parameters
# in accordance with the API server security policy.
# Examples for each auth method are provided below, use the example that
# satisfies your auth use case.

# Configure Bearer authorization (ApiToken or JWT): BearerAuth
configuration = corellium_api.Configuration(
    host = "https://app.corellium.com/api"
    ssl_ca_cert = "./ca_cert.cer"
)
configuration.access_token = '[access_token]'

async def main():
    # Enter a context with an instance of the API client
    async with corellium_api.ApiClient(configuration) as api_client:
        # Create an instance of the API class
        api_instance = corellium_api.CorelliumApi(api_client)
        try:
            instance_id = '[instance_id]'

            await api_instance.v1_start_netdump(instance_id)
            time.sleep(5)
            await api_instance.v1_stop_netdump(instance_id)
        except ApiException as e:
            print("Exception when calling CorelliumApi->v1_start_netdump: %s\n" % e)

asyncio.run(main())

Using the CLI

Use the following commands from our CLI:

Start monitoring: corellium instance netmon enable
Stop monitoring: corellium instance netmon disable
Download PCAP file: corellium instance netmon download
Stream monitoring events: corellium instance netmon stream

Notes

Due to the nature of streaming and asynchronous processing, there is a known margin of difference between the PCAP file and the UI of < 0.5%. This is known and expected.

Overview​

Monitoring network activity for a process​

Using the Corellium UI​

Server-side filtering​

Client-side filtering​

Downloading results​

Using the REST API​

Using the JavaScript API (legacy)​

Using the new JavaScript API​

Using the Python API​

Using the CLI​

Notes​