One‑Click Man‑in‑the‑Middle Packet Capture

The one‑click man‑in‑the‑middle packet capture feature can automatically enable global MITM interception on the device. Compared with other common tools, you don’t need to worry about installing the MITM certificate or setting up a proxy, nor about differences in method due to various system versions. It adapts to multiple Android versions, and we’ve taken care of everything for you. It also supports real‑time packet modification and interception.

Additionally, the success rate is higher than with typical software. You can intercept the app’s HTTP/HTTPS traffic. The script automatically enables and disables the MITM interception; after exiting the script, the device and network immediately return to their original state without any extra configuration. The script also supports international MITM capture and can specify an upstream proxy, making it easy to capture traffic from overseas apps.

Attention

Regardless of which operating system you are using, to ensure success on the first attempt, temporarily and completely disable your network firewall before starting packet capture.

Preparation

First, make sure that the computer and the device are on the same network segment or are connected via USB. In the following steps we assume that the IP of the mobile device running FIRERPA is 192.168.0.2. Next, confirm that you have correctly completed tool preparation on the PC, and verify that mitmproxy is installed and working (you can run mitmdump in the terminal to check).

If you don’t have a Python environment and are not familiar with cloning and dependency management, you can download startmitm.exe from our release page. This is a packaged version of startmitm.py that allows you to perform packet capture without installing Python. It is a console program, and its command arguments are identical to those of startmitm.py (this file may be flagged by antivirus software; decide for yourself whether to use it).

Basic Packet Capture

Hint

The app you are capturing may use SSL PINNING (certificate pinning) or the QUIC protocol, either of which can affect packet capture results. We will automatically force QUIC downgrade, but due to the fallback handshake time, the app may briefly freeze; please wait a moment. If the app uses certificate pinning, direct packet capture is not possible; you will need to combine reverse engineering and write a Frida script to bypass the SSL PINNING logic.

You can quickly start packet capture with the following command

python3 -u startmitm.py 192.168.0.2

You only need to press Ctrl+C once to exit packet capture.

Shared Packet Capture

If you want to analyze traffic together with colleagues on the same local network, run the following command, then have them visit http://<your-IP>:7890 in their browser to see the same capture interface as yours and analyze together easily.

python3 -u startmitm.py 192.168.0.2 --web-port 7890 --web-host 0.0.0.0

Specific Application

If you only need to intercept traffic from a specific application rather than system‑wide traffic, append :package_name to the IP address. The following example intercepts only the traffic of com.some.package.

python3 -u startmitm.py 192.168.0.2:com.some.package

Real‑Time Modification

You can modify the app’s request and response data in real time. This feature is implemented through mitmproxy’s event hooks. You need to write a hook script using mitmproxy’s API. For how to write hook scripts, refer to the mitmproxy official documentation docs.mitmproxy.org/stable/addons-examples and the example code mitmproxy/examples/contrib.

Assuming your hook script is named http_flow_hook.py, apply it with the following command.

python3 -u startmitm.py 192.168.0.2 -s http_flow_hook.py

Different Networks

If your phone and computer are not on the same network but you can physically access the device, you can also perform packet capture via USB ADB. Make sure the device is connected to the computer via USB ADB and properly authorized.

If the computer is connected to only one ADB device, run the following command; localhost means capture is performed for that ADB device.

python3 -u startmitm.py localhost

If multiple ADB devices are connected, specify the device serial number, which can be obtained from the output of adb devices.

python3 -u startmitm.py localhost --serial bfde362

If your network environment is even more restrictive – for example, the phone and computer are neither on the same network nor physically accessible, but you can still reach the FIRERPA port – packet capture is still possible. A common scenario: forwarding FIRERPA through its built‑in frp service to a remote server, where only one port between you and FIRERPA can be directly connected and other ports cannot communicate. The phone cannot access any port on the local machine, and the local machine can only access the phone’s FIRERPA port. In such a case, use the following method.

First, use adb_pubkey.py or manually call the API to install your local ADB public key onto the device. After installation, execute connect, where x.x.x.x is the IP address that can connect to the device’s port 65000. Modify it according to the actual situation.

adb connect x.x.x.x:65000

Then run the following command

python3 -u startmitm.py localhost

If there are multiple ADB devices, you can also do like this, where the --serial parameter is the ADB connect address (e.g., x.x.x.x:65000), not the device serial number.

python3 -u startmitm.py localhost --serial x.x.x.x:65000

Upstream Proxy / International Packet Capture

startmitm itself launches mitmproxy as the proxy service. By default, all traffic is sent from the local network interface by mitmproxy. If you want traffic to go through an upstream proxy instead of directly from the local machine, you can specify an upstream proxy, but only upstream proxies using the HTTP protocol are supported. At the same time, you need to specify an upstream DNS that supports TCP queries to avoid DNS pollution.

python3 -u startmitm.py 192.168.0.2 --upstream http://127.0.0.1:7890 --proxy-dns 8.8.8.8

If the upstream HTTP proxy requires authentication, replace USER:PASSWORD with the correct credentials.

python3 -u startmitm.py 192.168.0.2 --upstream http://USER:PASSWORD@x.x.x.x:8080 --proxy-dns 8.8.8.8

In this way, the device’s traffic will be sent through the upstream proxy, and all DNS queries from the device will be forwarded through the proxy to 8.8.8.8.