From 0cf982f1acb0e773eea2233d51673e6d7903e5e4 Mon Sep 17 00:00:00 2001
From: Emanuele Faranda <black.silver@hotmail.it>
Date: Sun, 3 Nov 2019 20:04:32 +0100
Subject: [PATCH] udp_receiver instructions and DNS information

---
 README.md | 37 ++++++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
index 2cd81735..58c31658 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,15 @@
 # Remote Capture
 
-Remote Capture captures the android apps traffic to analyze it remotely (e.g. via Wireshark). The traffic is sent live via an UDP socket and can be easily captured remotely with:
+Remote Capture is an android app to capture the phone traffic and analyze it remotely (e.g. via Wireshark). The traffic can be easily captured on a remote PC via an UDP socket.
 
 <img src="https://raw.githubusercontent.com/emanuele-f/RemoteCapture/master/playstore/screenshots/capturing.jpg" width="200" />
 
+Realtime Traffic Analysis:
+
+```bash
+tools/udp_receiver.py -p 1234 | wireshark -k -i -
+```
+
 Features:
 
 - Capture apps traffic without root
@@ -14,40 +20,37 @@ Features:
 Download:
 
 https://github.com/emanuele-f/RemoteCapture/releases
+https://play.google.com/store/apps/details?id=com.emanuelef.remote_capture
+
+## App filter and DNS Traffic
+
+Many applications rely on the Android DNS resolution service `netd` in order to resolve names. All the DNS requests sent via this service will come from `netd`, so it's not possible to which app made the request, so the app filter won't work. In order to circunvent this, Remote Capture will dump all the DNS traffic from `netd` regardless of the app filter. This can be disabled by toggling off the "Capture Unknown Traffic" preference.
 
 ## Receiving the PCAP
 
-In order to receive the PCAP on the collector host, perform the following steps in order:
-
-  1. Ensure that the Remote Capture VPN is not running (key icon is not shown)
-  2. Run the PCAP collector program (e.g. wireshark) on the host
-  3. Start the Remote Capture VPN via the start button
-
-To start a new capture, stop the VPN and repeat the steps above.
-
-### Examples
+The [UDP receiver](https://github.com/emanuele-f/RemoteCapture/blob/master/tools/udp_receiver.py) script can be used to receive the packets from the mobile application. As an alternative, the `socat` utily can be used (e.g. `socat -b 65535 - udp4-listen:1234`) but without the ability to pause and resume the capture. When using socat, setting the `-b` option is mandatory in order to correctly receive the packets (not supported in `nc`).
 
 - Analyze the traffic in Wireshark:
 
 ```bash
-socat -b 65535 - udp4-listen:1234 | wireshark -k -i -
+udp_receiver.py -p 1234 | wireshark -k -i -
 ```
 
 - Analyze the traffic with ntopng:
 
 ```bash
-socat -b 65535 - udp4-listen:1234 | ntopng -m “10.215.173.0/24” -i -
+udp_receiver.py -p 1234 | ntopng -m “10.215.173.0/24” -i -
 ```
 
 - Write the traffic to a PCAP file:
 
 ```bash
-socat -b 65535 - udp4-listen:1234 | tcpdump -w dump.pcap -r -
+udp_receiver.py -p 1234 | tcpdump -w dump.pcap -r -
 ```
 
-Note: the `-b` option of `socat` is required as the default UDP buffer size of 8192 B
-of `nc` or `socat` is not enough to handle the encapsulated packets.
-
 ## Building
 
-In order to build the app, you need to clone https://github.com/emanuele-f/zdtun beside the RemoteCapture directory
+1. Clone this repo locally
+2. Clone https://github.com/emanuele-f/zdtun beside this repository
+3. Build the `zdtun` module first
+4. Then build the `app` module