CodeCow/PCAPdroid
1
0
Fork 0
mirror of https://github.com/emanuele-f/PCAPdroid.git synced 2026-06-19 21:05:25 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

udp_receiver instructions and DNS information

Browse Source
This commit is contained in:
Emanuele Faranda 2019-11-03 20:04:32 +01:00 committed by GitHub
parent 3619abecb5
commit 0cf982f1ac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
README.md
View File

@ -1,9 +1,15 @@
# Remote Capture
Remote Capture captures the android apps traffic to analyze it remotely (e.g. via Wireshark). The traffic is sent live via an UDP socket and can be easily captured remotely with:
Remote Capture is an android app to capture the phone traffic and analyze it remotely (e.g. via Wireshark). The traffic can be easily captured on a remote PC via an UDP socket.
<img src="https://raw.githubusercontent.com/emanuele-f/RemoteCapture/master/playstore/screenshots/capturing.jpg" width="200" />
Realtime Traffic Analysis:
```bash
tools/udp_receiver.py -p 1234 | wireshark -k -i -
```
Features:
- Capture apps traffic without root
@ -14,40 +20,37 @@ Features:
Download:
https://github.com/emanuele-f/RemoteCapture/releases
https://play.google.com/store/apps/details?id=com.emanuelef.remote_capture
## App filter and DNS Traffic
Many applications rely on the Android DNS resolution service `netd` in order to resolve names. All the DNS requests sent via this service will come from `netd`, so it's not possible to which app made the request, so the app filter won't work. In order to circunvent this, Remote Capture will dump all the DNS traffic from `netd` regardless of the app filter. This can be disabled by toggling off the "Capture Unknown Traffic" preference.
## Receiving the PCAP
In order to receive the PCAP on the collector host, perform the following steps in order:
1. Ensure that the Remote Capture VPN is not running (key icon is not shown)
2. Run the PCAP collector program (e.g. wireshark) on the host
3. Start the Remote Capture VPN via the start button
To start a new capture, stop the VPN and repeat the steps above.
### Examples
The [UDP receiver](https://github.com/emanuele-f/RemoteCapture/blob/master/tools/udp_receiver.py) script can be used to receive the packets from the mobile application. As an alternative, the `socat` utily can be used (e.g. `socat -b 65535 - udp4-listen:1234`) but without the ability to pause and resume the capture. When using socat, setting the `-b` option is mandatory in order to correctly receive the packets (not supported in `nc`).
- Analyze the traffic in Wireshark:
```bash
socat -b 65535 - udp4-listen:1234 | wireshark -k -i -
udp_receiver.py -p 1234 | wireshark -k -i -
```
- Analyze the traffic with ntopng:
```bash
socat -b 65535 - udp4-listen:1234 | ntopng -m “10.215.173.0/24” -i -
udp_receiver.py -p 1234 | ntopng -m “10.215.173.0/24” -i -
```
- Write the traffic to a PCAP file:
```bash
socat -b 65535 - udp4-listen:1234 | tcpdump -w dump.pcap -r -
udp_receiver.py -p 1234 | tcpdump -w dump.pcap -r -
```
Note: the `-b` option of `socat` is required as the default UDP buffer size of 8192 B
of `nc` or `socat` is not enough to handle the encapsulated packets.
## Building
In order to build the app, you need to clone https://github.com/emanuele-f/zdtun beside the RemoteCapture directory
1. Clone this repo locally
2. Clone https://github.com/emanuele-f/zdtun beside this repository
3. Build the `zdtun` module first
4. Then build the `app` module