search

emanuele-f / PCAPdroid

No-root network monitor, firewall and PCAP dumper for Android
https://emanuele-f.github.io/PCAPdroid
GNU General Public License v3.0
2.08k stars 260 forks source link

Capturing VPN app with API vs manual capture #414

Closed the-c0d3r closed 3 months ago

the-c0d3r commented 4 months ago

Device: Samsung A23 5G Status: rooted

Hi, I have been testing PCAPdroid with various VPN apps. I have been using adb to start and stop capture through the app api that pcapdroid is exposing. It works fine for all the apps, except when capturing certain VPN traffic.

The capture through app api will yield pcap file with 0 bytes, while using the manual capture through the pcapdroid app yields non zero bytes pcap file. Both have root capture turned on.

I have tried a few different methods to capture using the app api through adb shell. With or without root_capture true, and also with all the options for capture_interface. Even pointing to the tun0 for capture_interface doesn't seem to capture traffic. 

"adb shell am start -e action start -e pcap_dump_mode pcap_file -e pcap_name traffic.pcap -e app_filter {self.app.package_name} -n com.emanuelef.remote_capture/.activities.CaptureCtrl"

My commands are based on this template above, tested with root_capture and capture_interface.

The apps that I encounter issues are as follows.

Is there any other ways to capture these with the app api? Please let me know if there's anything I can help to troubleshoot this.

emanuele-f commented 4 months ago

This could happen because of a wrong capture_interface / app_filter, e.g. if you specify the the vpn app tun interface as the capture interface, the app_filter won't match the vpn app UID, whereas it will match it if you specify the internet interface, but it won't allow you to capture the tun traffic. In essence, if you capture from the vpn tun interface, then don't set an app_filter. If you still have issues with this, please post the extended adb command that you are using, including the capture_interface and app_filter.

the-c0d3r commented 4 months ago

Thanks for the response.

I am trying to capture traffic of VPN application, when it is connecting, as well as once connected. In this kind of case, what should I choose as interface?

I am running the command aforementioned for all the apps, but for VPN it doesn't seem to work. By default I won't have root_capture or capture_interface specified. I don't know what is the default value for that.

On the other hand, inside the app settings, "capture as root" was turned on, and "capture interface" was set as "all interfaces". And this works if I capture with the app, but if I do the same with the api, (root_capture true and capture_interface any, it gives me 0 byte pcap.

But I was testing again a few times just now and managed to capture once or twice, out of a few times.

On a side note, if I set app filter as VPN app and VPN is connected, will it capture only the VPN app traffic or it will capture any traffic that uses the VPN tunnel?

emanuele-f commented 4 months ago

To replicate the ui setup via the Intent, you need to set the capture_interface to any. If not set, it will default to @inet, which will only capture the the packets inside the vpn when the vpn is active

emanuele-f commented 3 months ago

Replied, closing for now