PCAPdroid

PCAPdroid is an Android network traffic analyzer and packet capture tool that operates without requiring root access. It functions as a VPN-based firewall and network controller, capable of recording traffic in PCAPng format and blocking connections to specific domains or malicious hosts.

The project distinguishes itself through a proxy-based system for decrypting TLS traffic and routing device network traffic through SOCKS5 proxies or the Tor network. It further allows for the modification of live HTTP requests and responses via custom scripts.

Its capabilities cover application connection monitoring, DNS request analysis, and protocol payload inspection. The tool provides IP data enrichment using offline databases and supports exporting captured data to local files or remote servers for external analysis.

Features

Android Network Monitoring - Captures and analyzes network traffic specifically from Android applications without requiring root access.
Local-VPN Packet Processing - Captures and filters network traffic using a local VPN implementation to operate without root access.
Local Packet Captures - Intercepts network packets from system and user applications locally without requiring root access.
Pcapng File Exports - Saves network traffic in pcapng format, embedding decryption secrets for external analysis.
Traffic Captures - Writes captured network traffic directly to local files for offline analysis.
Packet Capture Engines - Ships a capture engine that can be controlled remotely via intents or command line instructions.
Packet Capture Utilities - Records network traffic in PCAPng format for deep offline analysis in external packet inspection tools.
Pcapng Serialization - Saves captured network packets and metadata in the standardized Pcapng binary format.
Protocol Payload Inspectors - Decodes HTTP messages and displays connection payloads as text or hexdumps.
SOCKS5 Proxy VPN Clients - Routes all device traffic through a SOCKS5 proxy by running a local VPN service.
Traffic Interception - Intercepts all device network traffic by creating a local VPN tunnel through a virtual interface.
Domain Name Blocking - Restricts internet access for specific apps or domains by blocking DNS resolution or connection attempts.
Traffic Decryption - Decrypts HTTPS traffic by acting as a man-in-the-middle with a custom certificate authority.
Transparent HTTPS Inspections - Implements a proxy-based system that transparently decrypts HTTPS traffic for inspection of mobile application communications.
Endpoint Identification - Extracts DNS queries, server names, and IP addresses to identify destination endpoints for applications.
Local Filtering Firewalls - Functions as a VPN-based firewall that blocks connections to malicious hosts or specific domains.
Application Connection Monitors - Tracks network activity from user and system applications to identify where data is transmitted.
DNS Query Monitoring - Inspects DNS queries, including encrypted requests, to track how domains are resolved.
PCAP File Exports - Dumps captured network traffic into PCAP files for deep packet analysis in external tools.
Traffic Data Export - Provides utilities to save captured network data to local files or stream it to remote receivers.
Intent-Based Command Dispatchers - Supports triggering capture operations and configuration changes via Android intents and ADB shell commands.
Traffic Routing Proxies - Redirects device network traffic through Tor or SOCKS5 proxies to anonymize identity and bypass restrictions.
Network Troubleshooting Tools - Diagnoses Android connectivity issues by monitoring DNS and using proxy-based packet inspection.
Offline IP Geolocation - Resolves remote IP addresses to geographic locations and autonomous system numbers using offline lookup tables.
Proxy Routing - Implements logic to route device network traffic through external proxy servers for decryption and modification.
Traffic Filtering Engines - Implements mechanisms to isolate specific network traffic based on configurable criteria for focused analysis.
Traffic Filters - Filters network traffic to hide irrelevant connections based on IP, host, protocol, or application.
Application Filters - Allows limiting network traffic capture to specific applications or lists of package names.
Production Traffic Modifications - Intercepts and modifies live HTTP request and response data using custom scripts.
Anonymity Network Routing - Routes device network traffic through the Tor network to anonymize the user's identity and location.
Malicious Host Detection - Identifies and blocks connections to known malicious domains by cross-referencing traffic with third-party blacklists.
Malicious String Heuristics - Identifies connections to malicious servers by comparing live traffic patterns against threat intelligence.
Malware Analysis - Identifies connections to malicious hosts and analyzes data exfiltration patterns for mobile malware analysis.
Mobile App Security Auditing - Provides capabilities for decrypting TLS and inspecting HTTP requests to audit mobile applications for vulnerabilities.
Traffic Interception and Modification - Intercepts and modifies live HTTP requests and responses using custom scripts during network capture.
Developer Tools - Network traffic analysis and packet capture tool for Android.
Mobile Device Management and Utilities - Network monitor and packet dumper for non-rooted Android devices.
System Utilities - Network traffic analysis and monitoring.
Traffic Capture Frameworks - Android-based network traffic monitoring and export tool.

requestly/requestly

6,341View on GitHub

arkime/arkime

7,399View on GitHub

Arkime is a distributed packet analysis platform and full packet capture system designed for recording raw network traffic, indexing metadata, and performing network forensics. It functions as a network traffic indexer and security tool that enables the monitoring, querying, and browsing of large-scale network traffic across multi-cluster architectures. The platform distinguishes itself through its ability to manage distributed capture clusters from a centralized administrative dashboard. It integrates external data feeds with internal traffic logs to identify known threats and provides a pro

imsnif/bandwhich

11,826View on GitHub

bandwhich is a command-line network utility and terminal bandwidth monitor designed for real-time traffic analysis. It functions as a process-based traffic tracker that links network bandwidth usage directly to the system processes and remote hosts responsible for the data transfer. The tool provides a terminal user interface for monitoring active connections and identifying data-consuming applications. It performs background reverse DNS lookups to associate remote IP addresses with human-readable hostnames and tracks cumulative data utilization over the duration of a capture session. Its br

aol/moloch

7,399View on GitHub

Moloch is a full packet capture system and network forensics platform designed for large scale network traffic recording and indexing. It functions as a distributed packet indexer that stores raw data in PCAP format for deep packet analysis and security investigations. The system distinguishes itself through a decentralized architecture that distributes capture and viewing components across multiple nodes to handle high volumes of network traffic. It utilizes a web-based management interface for browsing network sessions and provides a programmable API for exporting captured traffic and metad

emanuele-fPCAPdroid

Features

Open-source alternatives to PCAPdroid

requestly/requestly

arkime/arkime

imsnif/bandwhich

aol/moloch

Star history

Open-source alternatives to PCAPdroid

requestly/requestly

arkime/arkime

imsnif/bandwhich

aol/moloch