pcap mode failed on Android App while hex mode works fine #497
Comments
|
I used the Android Studio emulator, and it seems to be running fine. emu64a:/data/local/tmp # ./ecapture tls -p 6310 -m pcap -w 111.pcapng
2024/04/14 03:39:17 Your environment is like a container. We won't be able to detect the BTF configuration.
tls_2024/04/14 03:39:17 ECAPTURE :: ecapture Version : androidgki_aarch64:0.7.6-20240330-f1930dc:[CORE]
tls_2024/04/14 03:39:17 ECAPTURE :: Pid Info : 19764
tls_2024/04/14 03:39:17 ECAPTURE :: Kernel Info : 5.15.41
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL module initialization
tls_2024/04/14 03:39:17 ECAPTURE :: Module.Run()
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL Pcapng MODEL
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL OpenSSL/BoringSSL version found, ro.build.version.release=13
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL HOOK type: 2, binrayPath: /apex/com.android.conscrypt/lib64/libssl.so
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL PcapFilter:
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL Ifname: wlan0, Ifindex: 16
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL Hook masterKey function: [SSL_in_init]
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL target PID:6310
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL target all users.
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL BPF bytecode filename:user/bytecode/boringssl_a_13_kern.o
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL saving pcapng file: /data/local/tmp/111.pcapng
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL perfEventReader created. mapSize:4 MB
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL perfEventReader created. mapSize:4 MB
tls_2024/04/14 03:39:17 EBPFProbeOPENSSL module started successfully.
tls_2024/04/14 03:39:17 ECAPTURE :: start 1 modules
tls_2024/04/14 03:39:19 EBPFProbeOPENSSL save pcapng success, count:1401
tls_2024/04/14 03:39:21 EBPFProbeOPENSSL TLS1_2_VERSION: save CLIENT_RANDOM 1b10c325e39102d4f61cdce3fc53d72f0edac451653678ec7bdead64c3d7c391 to file success, 176 bytes
tls_2024/04/14 03:39:21 EBPFProbeOPENSSL TLS1_2_VERSION: save CLIENT_RANDOM aada68773b012ddaba702e1fdfc61e099b1a18df0aaae71da286503143af41a3 to file success, 176 bytes
tls_2024/04/14 03:39:23 EBPFProbeOPENSSL save pcapng success, count:415
tls_2024/04/14 03:39:25 EBPFProbeOPENSSL save pcapng success, count:4
tls_2024/04/14 03:39:43 EBPFProbeOPENSSL save pcapng success, count:1
tls_2024/04/14 03:39:45 EBPFProbeOPENSSL save pcapng success, count:1
^Ctls_2024/04/14 03:39:55 EBPFProbeOPENSSL close.
tls_2024/04/14 03:39:55 EBPFProbeOPENSSL save 1822 packets into pcapng file.
tls_2024/04/14 03:39:55 EBPFProbeOPENSSL close
emu64a:/data/local/tmp # ps -ef|grep coolapk
u0_a172 6310 372 13 06:06:12 ? 00:43:49 com.coolapk.market
u0_a172 6336 6310 1 06:06:12 ? 00:02:44 com.coolapk.market
u0_a172 7055 372 0 06:06:23 ? 00:01:27 com.coolapk.market:xg_vip_service
u0_a172 7081 7055 0 06:06:23 ? 00:01:16 com.coolapk.market:xg_vip_service
root 19807 7708 3 11:40:00 pts/0 00:00:00 grep coolapk
emu64a:/data/local/tmp # |
|
There is a possibility that the TLS handshake and key exchange are completed before eCapture runs, so eCapture cannot capture the key. Make sure eCapture is running before the program, like start ecapture first, without specifying the PID parameter, then start the process. |
cfc4n
added
invalid
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
pcap mode failed on capture Android App traffic while hex mode works fine
To Reproduce
Expected behavior
pcap mode should see the clear text in the save.pcapng file but not found
hex mode works fine find all clear text
Screenshots
save.pcapng.zip
Linux Server/Android (please complete the following information):
make envto get the environment variables]Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: