GitHub/PCAPdroid
1
0
Fork 0
mirror of https://github.com/emanuele-f/PCAPdroid.git synced 2026-05-08 21:12:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Rename PCAPdroid trailer to extensions

Browse Source 
Document Pcapng support
This commit is contained in:
Emanuele Faranda
2025-01-04 16:56:14 +01:00
committed by GitHub
parent 3c833f5a91
commit 0808a90ec9
1 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
advanced_features.md
+14 -3
View File
@@ -70,9 +70,9 @@ Please note that the following limitations apply for this mode:
- If you apply an app filter, you may miss some DNS traffic generated by the [netd service](https://github.com/emanuele-f/PCAPdroid#what-is-the-netd-app)
- The UID of short-lived connections may be wrongly reported as unknown. When an app filter is set, this may result in some connections to be ignored by the filter. The reasons for this are explained in [this issue](https://github.com/emanuele-f/PCAPdroid/issues/194)
## 4.5 PCAPdroid Trailer
## 4.5 PCAPdroid Extensions
Since version 1.4.0, by enabling the `PCAPdroid Trailer` setting it is possible to add additional metadata to the exported packets. Such metadata includes the app name and UID of the originating process. This information can be processed by third-party monitoring tools e.g. Wireshark.
By enabling the `PCAPdroid extensions` option (called `PCAPdroid trailer` on older versions) it is possible to add additional metadata to the exported packets. Such metadata includes the app name and UID of the originating process. This information can be processed by third-party monitoring tools e.g. Wireshark.
By using the custom [pcapdroid.lua](https://github.com/emanuele-f/PCAPdroid/blob/master/tools/pcapdroid.lua) plugin, it is possible to interpret the metadata into Wireshark, displaying the metadata fields as columns and even apply them as a filter. The plugin should be placed into [the plugins directory](https://www.wireshark.org/docs/wsug_html_chunked/ChPluginFolders.html) or it can be manually loaded on the linux cli with `-X lua_script:tools/pcapdroid.lua`.
@@ -80,7 +80,9 @@ By using the custom [pcapdroid.lua](https://github.com/emanuele-f/PCAPdroid/blob
<img src="./images/trailer_wireshark.png" width="600" />
</p>
When the trailer is enabled, a fake Ethernet header will be added to the packets to encapsulate both the PCAPdroid trailer and the original IP header and data. This makes it possible to recover the original capture data by simply skipping the Ethernet header and removing the Ethernet trailer. The Ethernet trailer is padded with zeros so that the PCAPdroid trailer starts on a 4-bytes boundary. Here is a description of the fields in the PCAPdroid trailer:
### PCAP Format
When dumping in the PCAP format, enabling the PCAPdroid extensions will add a fake Ethernet header to the packets, to encapsulate both the PCAPdroid trailer and the original IP header and data. This makes it possible to recover the original capture data by simply skipping the Ethernet header and removing the Ethernet trailer. The Ethernet trailer is padded with zeros so that the PCAPdroid trailer starts on a 4-bytes boundary. Here is a description of the fields in the PCAPdroid trailer:
| Offset | Size (Bytes) | Name | Type | Description |
|-------:|-------------:|---------|--------|----------------------------|
@@ -90,6 +92,15 @@ When the trailer is enabled, a fake Ethernet header will be added to the packets
The `appname` field contains the app package name truncated to 19 characters, which is useful to quickly spot an app without having to manually resolve it from the uid. The total per-packet overhead when the trailer is enabled is `14 B (Ethernet) + padding + 28 B (trailer) + 4 B (Ethernet FCS) = 46 B + padding`. The padding varies from 0 to 3 bytes.
### Pcapng Format
When dumping in the [Pcapng format](https://emanuele-f.github.io/PCAPdroid/paid_features#53-pcapng-format), the PCAPdroid metadata is added as [Pcapng custom blocks](https://www.ietf.org/archive/id/draft-tuexen-opsawg-pcapng-04.html#name-custom-block-2) with the [62652 PEN](https://www.iana.org/assignments/enterprise-numbers/?q=62652). In parcular:
- a `pcapng_pd_uid_map_block` is added for each seen app. It contains the UID, package name and app name
- a [comment option](https://www.ietf.org/archive/id/draft-tuexen-opsawg-pcapng-04.html#name-options-2) is added to the [Enhanced Packet Blocks](https://www.ietf.org/archive/id/draft-tuexen-opsawg-pcapng-04.html#name-enhanced-packet-block-2) for each packet, in the form "u-*uid*", where *uid* is the numeric UID value
This allows saving some space in the capture, as the app info is only stored once and can be retrieved via the UID. See [pcap_dump.h](https://github.com/emanuele-f/PCAPdroid/blob/master/app/src/main/jni/core/pcap_dump.h) and [pcapdroid.lua](https://github.com/emanuele-f/PCAPdroid/blob/master/tools/pcapdroid.lua) for more info.
## 4.6 Js Injector
The Js Injector, which is part of the PCAPdroid mitm addon, allows you to inject Javascript code into web pages. Scripts can be added from the mitm addon UI, by specifying the URL of the script to load.