Tips to see all truncated data?

[CamsShaft]

I'm relatively new to pcapdroid and I've run into a small problem. After running "tshark -r MyPacketCapture.pcapng -V > DecodedPcapng.txt" it's given me a ton of great information, it's nice, clean and organized. It's just the truncated data isn't fully in the output, less than a hundred characters I'd say. Is there something else in the command above that I'm missing or a completely different command? I'm running it on my S22 SM-S901W Android 14 and using termux to decode it. I'd like to keep it locally on my device for convenience if possible. I don't think there are any apps for reading or decoding that are compatible for this phone. Any advice is welcome and here's an example of the output. I hope to continue learning as I go along. Thank you.

algorithmIdentifier (sha256WithRSAEncryption) Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption) Padding: 0 encrypted [truncated]: 21bc4f1d866a96e27626af0e36ce393f3895b9f066e519f0a918a4f423ef4eccbfe392b6ca72cec4415653a891d354c03cef4727098ca506459912659aae179a0b37a3af2bb9b39127ec12ee494328e537d4fe05aa60a708b6130b73100f659388bb72f5bc685dd300505209 Extensions Length: 0

[CamsShaft]

I lied, it's more than a hundred... :)

[emanuele-f]

Hello, this seems a tshark visualization issue. You should try alternative output modes or options. May be linked to https://gitlab.com/wireshark/wireshark/-/issues/14874 . Spolier: you will see a new interesting feature in PCAPdroid related to this topic soon 😉

[CamsShaft]

Ahh okay, yeah I'll definitely check some other things out. There quite a lot going on in this app and it's easy to get confused if youre not aware of how things work. For instance, the mitm addon I'm sure you get a lot of messages about. I've tried using an ai chat and even that keeps getting a lot of things wrong. I suppose not fully understanding it quite yet is a factor too. Would like to play around with scripts at some point but that takes time. This is pretty exciting news though! "Spolier: you will see a new interesting feature in PCAPdroid related to this topic soon 😉" I'm really hoping to capture an apk with the sharedUserId=system attribute handshake during updates and installation. Not sure if that's even possible since it's pretty much only used for web captures and samsung probably doesn't use servers a lot besides ota and fota installs. Anyways, great app and hope things go smooth for continued development! Thanks for the reply 😀

[emanuele-f]

There quite a lot going on in this app and it's easy to get confused if youre not aware of how things work

Yeah, learning how to use the app more technical features requires time. You can get some help by the community https://t.me/PCAPdroid / https://matrix.to/#/#pcapdroid:matrix.org

I'm really hoping to capture an apk with the sharedUserId=system attribute handshake during updates and installation

Afaik, PCAPdroid should already capture traffic from system apps

[CamsShaft]

The way I tend to learn is trial by error, lots of error, that way it's seared into my brain. Mostly I just read and watch videos but hands on is the only way to retain info for me and repetition! It's funny how you mentioned about the capturing system apps and something I completely forgot to mention. A couple days ago I was trying to see if I could update a user app with ID 1000 by just reinstalling and try to capture it. I got the app I was using to call for the installation but that's it. When I went to check out the decryption rules to add some more stuff there I noticed none of the apps that have the system id 1000 are showing up in your app. I took a couple screen shots for a side by side. In between the apps "D" and "F" you'll see there's a few missing. If you need any more info just let me know what to do and I'll be happy to help. One is pcapdroid and the other is in app manager. I have no idea why that would be. My only guess is samsung doesn't like us having any control over our phones haha.

[emanuele-f]

When multiple apps share the same uid (e g. uid 1000, as in your example), PCAPdroid will only show one of them. The reason for this is that, internally, the OS only allows determining the uid of a connection, not the package name. So we can only know that the connection is from uid 1000 but not the specific app. Hope this clarifies

[CamsShaft]

I managed to find a couple id 1000 apps and also got wireshark kind of running in termux. I can view the pcaps but I'm not sure if they're decrypted or not because the output is still just garbled like always lol. Last time I ran pcapdroid I ended up getting the sslkeylogfile too which I didn't know was a thing and also the pcapdroid.lua. In termux, does the Lua file go only in plug-ins or does it have to go past that into /4.0 and then in one of the other 3 folders? And I'll do some more reading and try to figure it out on my own but hope to be able to capture some good stuff! Cheers!

[emanuele-f]

For encrypted traffic you will need to load the corresponding keylog file in wireshark/tshark, in order to decrypt it. Regarding the lua plugin folder, try to search for info online or do some experiments, probably the location on termux is the same as on desktop pcs

[emanuele-f]

Spolier: you will see a new interesting feature in PCAPdroid related to this topic soon 😉

@CamsShaft here we are, you can now decrypt PCAP files directly in PCAPdroid! Check out https://github.com/emanuele-f/PCAPdroid/issues/351#issuecomment-2170828828