One-Click Packet Capture

The man-in-the-middle one-click packet capture function can automatically enable global man-in-the-middle on your device. The difference from your commonly used tools is that you don’t need to worry about certificate installation and proxy settings, nor do you need to worry about different system versions having different packet capture methods. It works seamlessly on Android 6.0 - 14, as we’ve handled everything for you. You only need to focus on your specific business needs. It also supports real-time packet modification and interception, making it more suitable for actual business use compared to common GUI programs, rather than just “taking a look at packets.”

In addition, we can guarantee that there are no packets that cannot be captured (except certificate pinning), and the packet capture success rate is higher than conventional software methods. You can intercept application HTTP/S traffic, and of course, this can also include global DNS requests. It can automatically apply and revoke the man-in-the-middle, and after exiting the script, the device and network will return to their original state. You don’t need to make any other settings. The script also supports international man-in-the-middle packet capture (implemented through upstream proxies), allowing you to easily capture foreign software traffic.

Attention

Regardless of your system type, before starting packet capture, to ensure accurate completion in one go, please temporarily completely turn off your network firewall.

Preparation

First, ensure that your current computer and device are on the same network segment, or have a USB connection. We’ll assume 192.168.0.2 is the IP of the phone device running FIRERPA. Second, make sure you have properly cloned the project tool code and installed the relevant dependencies, and verify that mitmproxy has been successfully installed on the command line (you can verify by entering mitmdump on the command line).

If you don’t have Python or are not familiar with cloning and dependencies, you can download startmitm.exe from our release page. It is a packaged version of startmitm.py, which you can run without installing Python. This is a console program, and the command parameters are the same as startmitm.py (this file may be reported as a virus, please decide whether to use it yourself).

Basic Packet Capture

Hint

The application you’re capturing packets from may have SSL PINNING (certificate pinning) or use the QUIC protocol, both of which can affect packet capture effectiveness. We will automatically force QUIC to downgrade, but due to possible FallBack time, the application may display a very laggy network. Please wait a moment. Applications with certificate pinning cannot be directly captured, and you need to write frida scripts to bypass SSL PINNING logic through reverse engineering.

You can quickly perform packet capture using the following command. This is the simplest method of use.

python3 -u startmitm.py 192.168.0.2

Important

Please remember that after executing the startmitm command, completely close the app you want to capture packets from and reopen it. Closing the application from the task bar is not a reliable approach. Please use the API to close or manually use the command kill -9 for all application-related PIDs, otherwise normal capturing will not be possible.

Press the key combination CONTROL + C once to exit packet capture. Please do not press it multiple times in succession.

Shared Packet Capture

If you want to analyze with colleagues on your local network, execute the following command, then have your colleagues open http://YourIPAddress:7890 in a browser to see the same packet capture page as you. You can analyze together happily.

python3 -u startmitm.py 192.168.0.2 --web-port 7890 --web-host 0.0.0.0

Specific Applications

If you need to intercept traffic from a specific application, rather than system-wide traffic, you can use the following method by adding :packageName after the IP to capture traffic data from a specific application. The following example will only intercept traffic from com.some.package.

python3 -u startmitm.py 192.168.0.2:com.some.package

Real-time Modification

You can modify application request data and response data in real-time. This function is based on mitmproxy event hooks. You need to write hook scripts according to the mitmproxy related API. For information on how to write hook scripts, please refer to the official mitmproxy documentation docs.mitmproxy.org/stable/addons-examples and sample code mitmproxy/examples/contrib.

Assuming your hook script is http_flow_hook.py, apply the hook script as follows.

python3 -u startmitm.py 192.168.0.2 -s http_flow_hook.py

Different Networks

If your phone and current computer are not on the same network, but you can physically access the device, you can also perform packet capture via USB ADB. You need to ensure that the current device is connected to the computer via USB ADB and has been properly authorized.

If the computer is only connected to one ADB device, use the following command for packet capture, where localhost means using the ADB device.

python3 -u startmitm.py localhost

If the computer is connected to multiple ADB devices, you need to specify the adb serial number. Look for it in the output of the adb devices command.

python3 -u startmitm.py localhost --serial bfde362

If your environment is more restrictive, such as when your phone and current computer are neither on the same network nor can physically access the device, but as long as you can access the FIRERPA port, you can still perform man-in-the-middle. This situation typically occurs when you have used the built-in frp service to forward FIRERPA to a remote server, or you have forwarded FIRERPA’s 65000 port somewhere by some means. In this case, there is only this one port between you and FIRERPA that can directly communicate, and other ports cannot access each other. In this situation, the phone cannot access any port on the local machine, and the local machine can only access the phone’s FIRERPA port (or the phone has a public IP, but the local machine is on an internal network). This requires the following approach. (OpenVPN network interconnection does not fall into the above situation)

In this case, you need to use the following combination. First, use adb_pubkey.py or call the interface yourself to install your ADB public key on the device. After installation, continue with the following process, where x.x.x.x is the IP that can connect to port 65000 or 127.0.0.1, modified according to the actual situation.

adb connect x.x.x.x:65000

Finally, operate according to the USB packet capture method above.

python3 -u startmitm.py localhost

Or like this, where the serial is the address of adb connect, not the hexadecimal serial number.

python3 -u startmitm.py localhost --serial x.x.x.x:65000

Upstream Proxy/International Packet Capture

startmitm itself starts mitmproxy as a proxy service. By default, all traffic is sent from the local machine’s network card by mitmproxy. If you need the traffic to be sent through an upstream proxy instead of the local machine, you can use the following method to specify an upstream proxy. Only HTTP protocol proxies are supported as upstream proxies. DNS traffic will also go through the upstream proxy, but requires specifying an upstream DOH-DNS. Using this mode will also enable DNS packet capture.

Tip

Upstream proxy mode requires mitmproxy version >= 9.0.0 (and Python>=3.9).

DOH refers to DNS-Over-HTTP. Recommended DNS options include the following. You can choose based on your situation.

Region DNS Provider DOH Address
International Cloudflare DNS https://1.1.1.1/dns-query
International Google DNS https://dns.google/dns-query
China AliDNS https://dns.alidns.com/dns-query

Because DOH is used for DNS resolution, some pollution issues will no longer exist. You can also use this mode for international packet capture. For example, the following command performs international network packet capture through the local clash software’s port 7890.

python3 -u startmitm.py 192.168.0.2 --upstream http://127.0.0.1:7890 --dns https://dns.google/dns-query

When using upstream mode with a proxy in China, it is recommended to set DNS to alidns.

python3 -u startmitm.py 192.168.0.2 --upstream http://x.x.x.x:8080 --dns https://dns.alidns.com/dns-query

If the upstream HTTP proxy requires login authentication, please use the following command and replace USER:PASSWORD.

python3 -u startmitm.py 192.168.0.2 --upstream http://USER:PASSWORD@x.x.x.x:8080 --dns https://dns.alidns.com/dns-query

DNS Packet Capture

This feature allows you to conveniently perform DNS packet capture. Of course, enabling DNS packet capture will also enable regular packet capture, allowing you to intercept the application’s DNS query information. The following command starts DNS packet capture and specifies the upstream DNS as 114.114.114.114.

Tip

Upstream proxy mode requires mitmproxy version >= 9.0.0 (and Python>=3.9).

python3 -u startmitm.py 192.168.0.2 --dns 114.114.114.114

Start DNS packet capture, but the upstream DNS uses a non-standard port such as 5353.

python3 -u startmitm.py 192.168.0.2 --dns 192.168.0.100:5353