friTap icon indicating copy to clipboard operation
friTap copied to clipboard

Published 20 hours ago verified publisher icon fkie-cad

Only supporting IPv4/6 Error

Open dreyes15 opened this issue 9 months ago • 6 comments

I am looking to analyze an application on Android v14 "UpsideDownCake" and consistently receiving an "Only supporting IPv4/6 error.”

The following screenshots show an example of the output and the commands I am running. Screenshot 2024-05-02 at 10 56 35 AM Screenshot 2024-05-02 at 11 54 22 AM

Any help will be appreciated

dreyes15 avatar May 02 '24 15:05 dreyes15

Not sure if it will help your case, but in my case where I just wanted to log ssl keys, I've just commented that line and moved on, it worked just fined 🙈

raphaelts3 avatar May 21 '24 12:05 raphaelts3

Yea I think I might do that, my initial goal was to use the -p flag just to sanity check the traffic that was being collected. The default might be to just return 0.0.0.0 if FriTap can’t get the ip?

dreyes15 avatar May 24 '24 13:05 dreyes15

Hm, good question I didn't end-up using anything besides ssl key logs, to then import the keys to wireshark and get the whole dumps from there. Just to share a bit more of my setup, basically I'm using wireshark hooked into my cable ethernet and I'm sharing that same connection through wi-fi to my phones, that way all the traffic has to pass through wireshark and I can just see then with the keys I've exported using friTap.

raphaelts3 avatar May 24 '24 13:05 raphaelts3

Gotcha, if you are using tcpdump on the phone, are you getting only app traffic Or are you getting everything and filtering the traffic from the app?

dreyes15 avatar May 24 '24 18:05 dreyes15

I'm getting everything, because I'm using wireshark directly on local network, so everything from my pc and phone are showing there, still on wireshark I then filter by hostname(from tls handshake) and from there IPs, that way I can mainly see what the app is sending. I guess this approach is more tricky if you're not trying to see http/tls and/or you don't know what the app is using, anyways that's mainly how I'm operating right now, I hope it helps!

raphaelts3 avatar May 24 '24 19:05 raphaelts3

Hi,

thx for reporting this issue. Currently we are working in order to solve this issue. Actually when friTap is unable to get the ip from a socket it won't capture its traffic.

For now you have either two possibilities. First is to ignore this and let friTap use default socket values: fritap -m --enable_default_fd --spawn -p <pcap_name.pcap> <target package>

The recommend solution would be to run friTap in a full packet capture mode and extract the TLS keys doing it: fritap -m -p log24.pcap --full_capture --spawn --keylog <keylog_name.log> <target package> That way you keep the original socket information. You still need to filter this PCAP because it will capture any traffic from your target device and therefore will contain more information as your target app.

monkeywave avatar Jul 05 '24 14:07 monkeywave