PCAPdroid icon indicating copy to clipboard operation
PCAPdroid copied to clipboard
verified publisher icon emanuele-f

Feauture request: show outgoing traffic filtered out by the AFWall app.

Open ioctl-user opened this issue 2 years ago • 17 comments

I have the following situation: My phone is rooted, AFWall+ app is installed, and a lot of apps has disabled network connection. Sometimes mobile phone status bar shows heavy outgoing traffic, but PCAPdroid doesn't catch it. My router WEB-interface also doesn't shows it. So, I think that the phone status bar shows traffic before AFWall iptables, while PCAPdroid shows traffic after iptables.

I would like to see which app has outgoing traffic without disabling AFWall. So, it would be nice to have such a possibility in a PCAPdroid, if possible.

ioctl-user avatar Dec 24 '23 11:12 ioctl-user

My router WEB-interface also doesn't shows it.

Install OpenWrt or DD-WRT on the router

Sometimes mobile phone status bar shows heavy outgoing traffic

It doesn't mean anything. It's necessary to conduct a specific traffic analysis on the external gateway. For example, on a router.

I would like to see which app has outgoing traffic without disabling AFWall. So, it would be nice to have such a possibility in a PCAPdroid, if possible.

PCAPdroid already has a root monitor

anpic avatar Dec 24 '23 15:12 anpic

So, I think that the phone status bar shows traffic before AFWall iptables, while PCAPdroid shows traffic after iptables.

Most likely it's. This means that the traffic is successfully blocked. And the issue to add a firewall in root mode has been around for a long time https://github.com/emanuele-f/PCAPdroid/issues/203

anpic avatar Dec 24 '23 15:12 anpic

Sometimes mobile phone status bar shows heavy outgoing traffic, but PCAPdroid doesn't catch it

If the traffic is blocked early, PCAPdroid in non-root mode won't see it. To see it, you just need to run PCAPdroid with the root capture enabled

emanuele-f avatar Dec 24 '23 18:12 emanuele-f

To see it, you just need to run PCAPdroid with the root capture enabled

It won't show anyway. If AFWall blocks earlier.

anpic avatar Dec 24 '23 20:12 anpic

Router web interface doesn't show traffic because there is no traffic via router :)

PCAPdroid works in the root mode in my case.

ioctl-user avatar Dec 25 '23 09:12 ioctl-user

Could you please note, why this request was closed?

ioctl-user avatar Dec 25 '23 12:12 ioctl-user

You said root capture in PCAPdroid worked for your need, right? Is there anything else you want to discuss?

emanuele-f avatar Dec 25 '23 12:12 emanuele-f

Just reread my messages and seems it need clarification. Sorry for misunderstanding.

So, phone is rooted and root capture of PCAPdroid is turned on. AFwall is also turned on.

PCAPdroid doesn't capture packets killed by AFwall. Because, it seems, AFwall kills outgoing packets before they were captured by PCAPdroid.

This seems to be a problem.

ioctl-user avatar Dec 25 '23 14:12 ioctl-user

Could you please note, why this request was closed?

In fact, the topic could really be continued :) In networklog were several modes of operation there: in front of the firewall and behind the firewall. It has implemented cool statistics, but they don't seem to be needed here ;)

anpic avatar Dec 25 '23 14:12 anpic

PCAPdroid doesn't capture packets killed by AFwall. Because, it seems, AFwall kills outgoing packets before they were captured by PCAPdroid.

My bad, in root mode PCAPdroid captures the packets via libpcap, just before they reach the network interface (so after the iptables logic is applied).

Here are some ideas which could help, however none of them seems well suited for your use case:

  • #385 could provide a partial solution to this, showing them while they are still in progress via /proc/net, although not optimal
  • Doing a step back, in theory iptables has counters for packets/bytes matching rules (e.g. iptables -L -v), but I'm not sure that these are enabled in Android. This could be something to evaluate in afwall, to have some kind of rule stats
  • Another possibility would be to to use a VPN interface and block traffic on the internet interface. E.g. running two PCAPdroid instances, one in non-root and the other in root mode, listening on the tun interface. This way you could monitor traffic before it's being blocked, but you lose the ability to recognize the source app, as the packets would all be generated by PCAPdroid

Related: #111

emanuele-f avatar Dec 25 '23 14:12 emanuele-f

E.g. running two PCAPdroid instances, one in non-root and the other in root mode

The problem with this variant may also be that the only one VpnService may be needed for the external VPN connection itself. Of course, there is a variant with work profiles, but this requires additional actions and skills.

  • Doing a step back, in theory iptables has counters for packets/bytes matching rules (e.g. iptables -L -v), but I'm not sure that these are enabled in Android. This could be something to evaluate in afwall, to have some kind of rule stats

This is a very good variant. For example, through /data/data/dev.ukanth.ufirewall/app_bin/nflog Just not for dumb users at all ;) But then firewalls aren't needed, but can do everything with scripts :)

anpic avatar Dec 25 '23 15:12 anpic