- 3 modes: no payload, minimal payload (save memory), full payload
- Display payload as hexdump
- Display HTTP requests and responses as string
- Show decrypted HTTPS (requires mitm addon)
- Decode chunked encoding and gzip body
- Show websockets messages (only with TLS decryption enabled)
- An icon indicates the connections decryption status
- Easily copy the HTTP request/response from the context menu
See #107
When the TLS decryption is enabled, it's now possible to export the
SSLKEYLOGFILE to decrypt the PCAP file in Wireshark. The export only
works when the capture is running.
When stopping the service, only stopForeground was called, but not
stopSelf. If the process was destroyed (e.g. by swiping the app
from the recent apps), in some cases it would be restarted due to
START_STICKY, causing ForegroundServiceStartNotAllowedException in
Android 12.
Fixes#175
The pcapdroid_mitm.py plugin allows PCAPdroid to receive the decrypted data from
mitmproxy and display it into the GUI (currently limited to the HTTP request)
PCAP dump is now performed into a separate thread. This greatly reduces
the chance for packet loss in root mode as well as preventing latency
spikes in VPN mode.
The VPN can now be started by the system when the always-on VPN is
enabled. In this case, the stop button is hidden and the previous
configuration is used.
Closes#165
Null intents (e.g. due to START_STICKY) are now handled, which prevents
ForegroundServiceStartNotAllowedException in Android 12.
Fixes#175
When the capture interface is set to "All Interfaces", it is now
possible to filter connections by interface. The interface is also shown
into the connection details.
Closes#163
- Block connections by IP, domain or app
- Add filter to show blocked connections
- Migrate IP matching to ndpi_ptree_t API
- IPv6 addresses now supported in blacklists
- Duplicate IP address rules now only counted once
PCAPdroid now tracks the private DNS state. Secure DNS queries are now
only blocked when set in opportunistic mode. A notice is now shown when
PCAPdroid has no visibility on the DNS query.
Fixes#130
A notification is generated when a connection matches known malicious
domains or IP addresses. The connections view reports malicious
connections with a skull icon. A filter can be set to only show them.
Needed for #105
User permission is asked every time the intent is fired. Stopping capure
is allowed to the same app which started it without asking permission.
See #33
Connections data is now split into three groups:
- The connection identifier (e.g. 5 tuple)
- The connection statistics
- The connection L7 information (e.g. HTTP URL and request data)
With this optimization, most updates will only pass the connection
statistics throught the JNI interface. The connection identifier will
only be passed for new connections and the L7 information will only be
passed when needed (e.g. after extracting the URL).
Closes#82
Show information about an app, including its target SDK version,
install/update date and its requested permissions. Also add a button to
quickly open the app info/settings in android.
Closes#45
