PCAP Remote Tutorial

1. Overview
2. Capturing options
3. Remote capturing in Wireshark
4. Remote capturing in command line
5. Capturing traffic as .pcap file
6. Decrypting HTTPS/TLS traffic
7. Frequently Asked Questions (FAQ)

Links:
Video: Remote capturing in Wireshark
SSH private key

1. Overview

PCAP Remote is a non-root network sniffer app that allows you to debug and analyze Android traffic on your desktop PC using the app’s built-in SSH server, which is useful and often a must when developing mobile applications that use complex/custom network protocols. The traffic is captured using an Android OS feature called VpnService.

The app is primarily designed to be used in conjunction with Wireshark, which is the most famous tool for network troubleshooting, analysis, software and communications protocol development, and education. If you are not familiar with it, I’d recommend you giving it a shot.

Although Wireshark is the tool that is recommended, other similar tools can also be used as captured packets are saved in the commonly used pcapng format.

Features:

1: Remote capturing using the built-in SSH server;
2: Supporting Wireshark sshdump tool;
3: Capturing traffic as .pcap file;
4: MITM (Man-in-the-middle) functionality, which allows you to decrypt traffic in Wireshark;
5: No root required.

Limitations:

#1: TLS 1.3 is not supported;
#2: The SSH server only supports IP v4 clients;
#3: Your PC and a device on which PCAP Remote is installed should be connected to the same WiFi (other configurations are not tested).

2. Capturing options

Remote mode – When enabled, the ssh server is run (sshdump), when disabled, the traffic is captured as a .pcap file on the device storage.

Make HTTPS/TLS connections decryptable – When enabled, HTTPS/TLS connections can be decrypted in tools supporting pcapng decryption secrets block. Wireshark supports the feature starting from 3.0. Implementation of the capturing option is similar to MITM (Man-in-the-middle) proxies like Squid. Additional details are provided in the “Decrypting HTTPS/TLS traffic” section.

Drop connections on SSH client – As it is only possible to decrypt HTTPS/TLS data when the whole SSL session is presented in captured data, it is often handy to drop all connections when a new SSH client connects to the server. There may be other use-cases.

3. Remote capturing in Wireshark

Video: Remote capturing in Wireshark

To start using Wireshark with PCAP Remote, make sure you have sshdump component installed. On Linux machines, it is installed by default, on Windows, you have to enable installing it in the Setup Wizard. On Windows, you could also download the portable version, which has the needed component. If installing the component is not an option, please read the “Capturing in command line” section of the tutorial.

To start capturing, click on the “SSH remote capture: sshdump” line.

“Remote SSH server address” and “Remote SSH server port” fields should be filled in the same values as in the “SSH SERVER” section highlighted in the screenshot. If “Unknown. Please check Network interfaces (Menu->Network interfaces)” is rendered as the SSH server address, it means that your WiFi is not enabled/connected or PCAP Remote is not able to get the IP address of the interface. In the second case, you could try finding the address by reviewing network interfaces on your device (Menu->Network interfaces). Unless you are using a custom configuration/emulator, the one that you need is IPv4 “wlan” interface (something like 192.169.0.102).

Then, fill in the authentication details. As Wireshark does not allow you to save the password, it is easier to capture traffic if you specify the SSH private key. The key itself can be exported from PCAP Remote or downloaded here. Using the exported/downloaded key is not a must since the server accepts any ssh key. If you prefer the user/password auth method, user/password creds (any are accepted) can also be used.

The app ignores any capturing options/commands, do not spend time specifying them.

That is it with configuring Wireshark, start capturing in PCAP Remote (the “Play” button) and click “Start” on the “sshdump” dialog (the dialog on which you entered the SSH server address and port). If everything is set up correctly, you should be able to capture traffic.

If the following error is rendered and you specified user/password creds as the authentication method, make sure the password is entered.

4. Remote capturing in command line

To connect to PCAP Remote from a PC using the command line, you have to have an ssh client installed. Captured packets can be saved as a .pcap file or viewed in Wireshark on the fly. Make sure all the IPs/Ports/Paths are correct in the commands.

The SSH server address and port are rendered in the “SSH SERVER” section highlighted in the screenshot. If “Unknown. Please check Network interfaces (Menu->Network interfaces)” is rendered as the SSH server address, it means that your WiFi is not enabled/connected or PCAP Remote is not able to get an IP address of the interface. In the second case, you could try to find the address by reviewing network interfaces on your device (Menu->Network interfaces). Unless you are using a custom configuration/emulator, the one that you need is IPv4 “wlan” interface (something like 192.169.0.102).

Before executing any commands bellow, make sure that you started capturing in PCAP Remote.

Capturing packets as a .pcap file on Windows

PuTTY (https://www.putty.org/) has to be installed on your Windows machine.

 "C:\Program Files\PuTTY\plink.exe" -ssh user@192.168.0.100 -P 15432 -batch 'pcapremote' 1> "D:\captured_data.pcap"  

Capturing packets in Wireshark on the fly on Windows

PuTTY (www.putty.org) and Wireshark (www.wireshark.org) have to be installed on your Windows machine.

 "C:\Program Files\PuTTY\plink.exe" -ssh user@192.168.0.100 -P 15432 -batch 'pcapremote' | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -  

Capturing packets as a .pcap file on Linux

 ssh user@192.168.0.100 -p 15432 'pcapremote' > test.pcap  

Capturing packets in Wireshark on the fly on Linux

 ssh user@192.168.0.100 -p 15432 'pcapremote' | wireshark -k -i -  

5. Capturing traffic as .pcap file

Disable the “Remote mode” capturing option and start capturing (the “Play” button). As soon as you stop capturing, you will be asked if captured packets need to be saved as .pcap file on device storage.

6. Decrypting HTTPS/TLS traffic

Implementation of the feature is similar to MITM (Man-in-the-middle) proxies like Squid. All HTTPS/TLS connections are intercepted and their server certificates are replated with the one that PCAP Remote generates in runtime. Since apps use the certificate that PCAP Remote wants them to use, we can decrypt the traffic.

As captured packets are saved in the pcapng format, it is not needed to explicitly specify any RSA keys in Wireshark. The version of Wireshark installed on your PC has to be 3.0+

Android N+

From Android Nougat(7.0), Google changed the network security policy. Self-signed Certificate Authorities (CA) are not trusted by any apps’ secure connections by default. That means PCAP Remote is unable to intercept HTTPS/TLS packets unless a network security policy allowing that is set. More info on the network security policies can be read here.

To get around the issue in your own app:

Add a network security configuration in AndroidManifest.xml:

<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
    <application android:networkSecurityConfig="@xml/network_security_config"
                    ... >
        ...
    </application>
</manifest>

And the following network_security_config file in res/xml/:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </base-config>
</network-security-config>

The easiest way to make a third-party app accept the MITM certificate is to decompile the app, add the network security policy config and compile it again, which is not covered in this tutorial.

7. Frequently Asked Questions (FAQ)

(1) 10.1.10.1/fd00:1:fd00:1:fd00:1:fd00:1 as the source address in captured packets
(2) “CERTIFICATE UNKNOWN” errors on the “SSL ERRORS” tab
(3) Does the app capture all the device traffic?
(4) “UNSUPPORTED PROTOCOL” errors on the”SSL ERRORS” tab
(5) “Unknown. Please check Network interfaces (Menu->Network interfaces)” as the SSH Server address
(6) Why do I have to enter the SSH password every time I restart the capturing in Wireshark?

(1) 10.1.10.1/fd00:1:fd00:1:fd00:1:fd00:1 as the source address in captured packets

PCAP Remote is based on an Android OS feature called VpnService. All traffic is redirected by OS to a virtual interface called tun. The interface has 10.1.10.10/fd00:1:fd00:1:fd00:1:fd00:1 as its addresses.

(2) “CERTIFICATE UNKNOWN” errors on the “SSL ERRORS” tab

It usually happens when either the MITM certificate is not installed (Settings->SSL Certificate->Install) or the Android N+ security policy is not set. In rare cases, it could be because an app uses a custom certificate pinning technique implementation.

(3) Does the app capture all the device traffic?

The app captures as much as OS redirects to it.

(4) “UNSUPPORTED PROTOCOL” errors on the”SSL ERRORS” tab

The app from which you are trying to capture traffic is probably using TLS 1.3 that is not supported yet.

(5) “Unknown. Please check Network interfaces (Menu->Network interfaces)” as the SSH Server address

It means that your WiFi is not enabled/connected or PCAP Remote is not able to get an IP address of the interface. In the second case, you could try to find the address by reviewing network interfaces on your device (Menu->Network interfaces). Unless you are using a custom configuration/emulator, the one that you need is IPv4 “wlan” interface (something like 192.169.0.102).

(6) Why do I have to enter the SSH password every time I restart the capturing in Wireshark?

Wireshark does provide a way to save the password. It is easier to capture traffic if you specify the SSH private key. The key itself can be exported from PCAP Remote or downloaded here. Using the exported/downloaded key is not a must since the server accepts any ssh key.