mirror of https://github.com/emanuele-f/PCAPdroid.git synced 2026-06-16 21:10:57 +08:00

No-root network monitor, firewall and PCAP dumper for Android

Go to file

emanuele-f 14435311a5 Implement embedded HTTP server to provide an easy PCAP download option It's now possible to choose the PCAP dump mode: none (no external PCAP dump), HTTP server, UDP exporter. The HTTP server mode is a convenient way to download a PCAP without any client side configuration. This also makes it possible to capture the PCAP data on a Windows pc, where the UDP collection mode is not normally applicable. Closes #13		2020-01-06 18:12:53 +01:00
.idea	Add swipe view to show active connections	2019-11-08 23:47:42 +01:00
app	Implement embedded HTTP server to provide an easy PCAP download option	2020-01-06 18:12:53 +01:00
assets	Bump version to 1.2	2020-01-02 00:48:49 +01:00
gradle/wrapper	Update gradle version	2019-10-05 21:29:46 +02:00
ICONS_LICENSE/app_icon	Update icon	2019-11-03 23:12:34 +01:00
ndpi	Add nDPI library module	2019-11-09 22:07:00 +01:00
nDPI	Show nDPI information	2019-11-10 00:30:31 +01:00
tools	Fix receiver issue when verbose is diasabled	2019-11-03 19:45:20 +01:00
zdtun	First commit	2019-09-08 22:09:03 +02:00
.gitignore	Implement PCAP dump mode selector	2020-01-05 21:05:11 +01:00
build.gradle	Update gradle version	2019-10-05 21:29:46 +02:00
COPYING	Add license	2019-09-08 22:11:07 +02:00
gradle.properties	First commit	2019-09-08 22:09:03 +02:00
gradlew	First commit	2019-09-08 22:09:03 +02:00
gradlew.bat	First commit	2019-09-08 22:09:03 +02:00
README.md	Show nDPI information	2019-11-10 00:30:31 +01:00
settings.gradle	Add nDPI library module	2019-11-09 22:07:00 +01:00

README.md

Remote Capture

Remote Capture is an android app to capture the phone traffic and analyze it remotely (e.g. via Wireshark). The traffic can be easily captured on a remote PC via an UDP socket.

Realtime Traffic Analysis:

tools/udp_receiver.py -p 1234 | wireshark -k -i -

Features:

Capture apps traffic without root
Send captured traffic via UDP
Show captured traffic realtime statistics
Apply a filter to only capture traffic for the selected app

Download:

https://github.com/emanuele-f/RemoteCapture/releases

https://play.google.com/store/apps/details?id=com.emanuelef.remote_capture

App filter and DNS Traffic

Many applications rely on the Android DNS resolution service netd in order to resolve names. All the DNS requests sent via this service will come from netd, so it's not possible to which app made the request, so the app filter won't work. In order to circunvent this, Remote Capture will dump all the DNS traffic from netd regardless of the app filter. This can be disabled by toggling off the "Capture Unknown Traffic" preference.

Receiving the PCAP

The UDP receiver script can be used to receive the packets from the mobile application. As an alternative, the socat utily can be used (e.g. socat -b 65535 - udp4-listen:1234) but without the ability to pause and resume the capture. When using socat, setting the -b option is mandatory in order to correctly receive the packets (not supported in nc).

Analyze the traffic in Wireshark:

udp_receiver.py -p 1234 | wireshark -k -i -

Analyze the traffic with ntopng:

udp_receiver.py -p 1234 | ntopng -m “10.215.173.0/24” -i -

Write the traffic to a PCAP file:

udp_receiver.py -p 1234 | tcpdump -w dump.pcap -r -

How it Works

In order to run without root, the app takes advantage of the Android VPNService API to collect the packets on the device (they are not sent to an external VPN server). The zdtun connections proxy library is used to route the packets back to their original destination. Here are some diagrams of how it works:

Building

Clone this repo locally
Clone https://github.com/emanuele-f/zdtun beside this repository
Clone https://github.com/ntop/nDPI beside this repository
Link the cmake file into nDPI: from this repo execute: ln -s $(readlink -f nDPI/CMakeLists.txt) ../nDPI
Inside the nDPI directory, run ./autogen.sh
Build the zdtun and ndpi modules first
Then build the app module