search

fkie-cad / friTap

The goal of this project is to help researchers to analyze traffic encapsulated in SSL or TLS.
GNU General Public License v3.0
253 stars 26 forks source link

tcpdump starts twice on Android when app spawn and full capture are enabled #23

Closed mpeck12 closed 4 months ago

mpeck12 commented 4 months ago

When spawn and full capture are enabled, pcap.PCAP is called twice, starting tcpdump twice.

Example:

./friTap.py -m -f -k keylog -p 12.pcap -s com.package
[*] capturing whole traffic of target app
[*] doing full capture on Android
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
[*] capturing whole traffic of target app
[*] doing full capture on Android
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
[*] Running Script on Android

I fixed it like this, but not sure if this is the right logic:

diff --git a/friTap/friTap.py b/friTap/friTap.py
index 24f36d5..893892c 100644
--- a/friTap/friTap.py
+++ b/friTap/friTap.py
@@ -379,7 +379,7 @@ def ssl_log(app, pcap_name=None, verbose=False, spawn=False, keylog=False, enabl
         print(f'[*] friTap will continue after the named pipe is ready....\n')
         pcap_obj =  pcap.PCAP(fifo_file,SSL_READ,SSL_WRITE,full_capture, mobile,debug_mode)

-    elif pcap_name:
+    elif pcap_name and (not(spawn) or not(full_capture)):
         pcap_obj =  pcap.PCAP(pcap_name,SSL_READ,SSL_WRITE,full_capture, mobile,debug_mode)
monkeywave commented 4 months ago

Thx for reporting this issue :-)

Actually there was a logic bug there and should be resolved in the latest version (1.1.0.1).

If it still present reopen this issue.