One-Click Packet Capture¶
The one-click man-in-the-middle (MITM) packet capture feature automatically enables global MITM on your device. Unlike common tools you may be familiar with, you don’t need to worry about certificate installation or proxy configuration, nor do you need to handle differences across various Android versions. It works seamlessly across Android 6.0 to 14 — we’ve taken care of everything for you, so you can focus solely on your business logic.
Additionally, it supports real-time packet modification and interception, making it more suitable than typical GUI-based tools for actual business use cases — not just “capturing packets for inspection.”
Moreover, we guarantee that no traffic is un-capturable (except in cases involving certificate pinning), and the success rate of packet capture is higher than conventional software methods. You can intercept HTTP/HTTPS traffic from apps. The tool automatically applies and removes the MITM setup; once you exit the script, both the device and network will revert to their original states without requiring any additional configuration. The script also supports international packet capture (via upstream proxy), enabling easy capture of traffic from foreign applications.
Attention
Regardless of your operating system, please temporarily disable your firewall completely before starting packet capture to ensure a smooth and error-free process.
Prerequisites¶
First, ensure your computer and device are on the same network segment, or have USB connectivity. For the following examples, we assume 192.168.0.2 is the IP address of the mobile device running FIRERPA. Next, make sure you have successfully cloned the project repository and installed all required dependencies. Verify that mitmproxy is correctly installed by running mitmdump in your terminal.
If you don’t have Python or are unfamiliar with cloning repositories and managing dependencies, you can download startmitm.exe from our release page. This is a packaged version of startmitm.py, allowing you to perform packet capture without installing Python. It’s a console application with command-line arguments identical to startmitm.py. (Note: This file may trigger antivirus alerts; please decide whether to use it at your discretion.)
Basic Packet Capture¶
Hint
The app you’re trying to capture might employ SSL PINNING (certificate pinning) or use the QUIC protocol, either of which could affect capture results. We automatically force QUIC downgrade, but due to potential fallback delays, the app may exhibit extremely slow network performance initially — please wait a moment. Apps with certificate pinning cannot be captured directly and require Frida scripts (developed via reverse engineering) to bypass SSL pinning logic.
You can quickly start packet capture using the following command — this is the simplest usage method:
python3 -u startmitm.py 192.168.0.2
Important
After executing the startmitm command, always fully close and restart the target app. Simply swiping it away from the task bar is unreliable. Use API calls or manually execute kill -9 on all PIDs associated with the app; otherwise, packet capture may fail.
Press CONTROL + C once to stop the capture. Avoid pressing multiple times consecutively.
Targeted App Capture¶
To capture traffic from a specific app instead of all system-wide traffic, append :package_name after the IP address. The example below captures only traffic from com.some.package.
python3 -u startmitm.py 192.168.0.2:com.some.package
Real-Time Modification¶
You can modify request and response data in real time using mitmproxy’s event hooks. You’ll need to write custom hook scripts based on mitmproxy’s API. For guidance on writing such scripts, refer to the official mitmproxy documentation: docs.mitmproxy.org/stable/addons-examples and example code at mitmproxy/examples/contrib.
Assuming your hook script is named http_flow_hook.py, apply it as follows:
python3 -u startmitm.py 192.168.0.2 -s http_flow_hook.py
Different Networks¶
If your phone and computer are not on the same network but you can physically access the device, you can still perform packet capture via USB ADB. Ensure the device is connected via USB ADB and properly authorized.
If only one ADB device is connected, use the following command, where localhost indicates using the ADB-connected device:
python3 -u startmitm.py localhost
If multiple ADB devices are connected, specify the device serial number obtained from adb devices:
python3 -u startmitm.py localhost --serial bfde362
In more constrained environments — when the phone and computer are neither on the same network nor physically accessible, but you can still reach the FIRERPA port — MITM is still possible. This typically occurs when you’ve used an embedded frp service to forward FIRERPA to a remote server, or manually forwarded FIRERPA’s port 65000 somewhere. In such cases, communication between you and FIRERPA is limited to this single port; other ports are inaccessible. Here, the phone cannot access any local ports, and the computer can only access the phone’s FIRERPA port (or the phone has a public IP while the computer is behind NAT). Use the method below in such scenarios. (Note: OpenVPN-based network bridging does not fall into this category.)
Use the following combined approach: First, use adb_pubkey.py or call the relevant API to install your ADB public key onto the device. After installation, proceed with the steps below. Replace x.x.x.x with the IP address that can reach port 65000, or use 127.0.0.1 as appropriate.
adb connect x.x.x.x:65000
Then, proceed with USB-based packet capture as described earlier:
python3 -u startmitm.py localhost
Or use this alternative format, where serial refers to the adb connect address rather than the hexadecimal serial number:
python3 -u startmitm.py localhost --serial x.x.x.x:65000
Upstream Proxy / International Packet Capture¶
By default, startmitm launches mitmproxy as a local proxy, routing traffic through your machine’s network interface. If you want traffic to go through an upstream proxy instead of your local connection, specify the upstream proxy using the command below. Only HTTP proxies are supported as upstream proxies. Additionally, specify a DNS resolver supporting TCP queries to avoid DNS pollution.
Tip
Upstream proxy mode requires mitmproxy version >= 9.0.0 (and Python >= 3.9).
python3 -u startmitm.py 192.168.0.2 --upstream http://127.0.0.1:7890 --proxy-dns 8.8.8.8
If your upstream HTTP proxy requires authentication, use the format below and replace USER:PASSWORD accordingly:
python3 -u startmitm.py 192.168.0.2 --upstream http://USER:PASSWORD@x.x.x.x:8080 --proxy-dns 8.8.8.8
All commands above route device traffic through the specified upstream proxy and forward all local DNS queries via the proxy to 8.8.8.8.