如何查看特定应用程序请求的网络流量? -- applications 领域 和 networking 领域 和 internet 领域 和 data-monitoring 领域 和 processes 领域 android 相关 的问题

How to view network traffic requested by a specific app?


简体版||繁體版
3
vote

问题

中文

有很多关于如何查看哪个应用程序请求网络连接的讨论。我尝试了以下应用程序:

  tcapturepacket wifi monitor connection tracker   
但是,它们都没有有用。例如,在短时间内,我上传了一个30kb的PCAP文件,可以被视为 < / a>。我仍然没有找到哪个应用程序请求连接以及它尝试连接的位置。

我也试图看 adb logcat ,但没有找到有用的信息。也许在这里错过了一些东西。任何猜测?

english

There are lots of discussion on how to see which app is requesting network connection. I have tried the following apps:

tcapturepacket wifi monitor connection tracker 

However, none of them was useful. For example, for a short period of time, I uploaded a 30KB pcap file which can be viewed here. Still I haven't find out which app is requesting connection and to where it is trying to connect.

I also tried to look at adb logcat, but didn't find useful information. Maybe something has been missed here. Any guess?

              

回答列表

5
 
vote

如果您有扎根的电话,请转到 nethogs (用于实时监控)或 iptables (才能获得统计信息)commandline工具。基于VPN或基于Android统计数据的应用是唯一可能的非根解决方案。或者参考此答案对于a logcat / dumpsys 基于解决方案。


首先,跟踪网络流的UID或PID不是直接的,因为这些不是网络相关但操作系统相关参数。 提案和废弃的项目确实存在。

Android为每个已安装的应用程序分配一个唯一的UID,就像Linux上的每个人都有一个UID一样。因此,我们可以捕获特定UID通过网络接口发送的数据包来跟踪使用情况。

tcpdump:

现在我们如何捕获网络流量?大多数网络嗅探器使用 libpcap 为此目的为系统独立的库系列。它支持<强> BSD数据包过滤器(BPF)用于内核数据包过滤。一些流行的实用程序,使用<代码> libpcap 包含<代码> tcpdump ,<代码> nmap ,<代码> tshark/wireshark ,<代码> dumpcap nethogs0 等.Android应用程序网络实用程序和其他人也使用 nethogs1

但是,UID信息不会通过 nethogs2 / nethogs3 通道 nethogs4 osi二层 。所以我们可以在这里做的是使用应用程序使用网络套接字(IP和端口的组合)。 nethogs5 nethogs6 将显示所有带有主动/建立连接的网络套接字。两种工具都在Android上提供(或者您可以获得静态二进制), nethogs7 是较新的。 套接字与uid 信息也可以直接从 nethogs8 直接读取。 Android App netstat plus 工作原理。这将提供过程使用的本地地址(套接字)。

一旦我们知道应用程序(UID)使用的套接字, nethogs9 将转储来自该过程的整个流量。
同样,远程套接字(如果未连接到多个应用程序)也可用于过滤结果。

限制:

然而,这种方法存在一些问题:
  • Android应用程序通常在并行推出多个进程i.e. 多个PID在相同的UID 下工作。所以我们必须捕获来自所有进程的流量。
  • 应用程序继续创建和删除套接字。遵守连续改变的套接字几乎不可能特别是当有大量应用程序同时访问网络时。
  • 存在 - 虽然稀有的可能性是在Unix-ops OS的多个进程中共享套接字的可能性。远程共享套接字,例如用于DNS解析的UDP / 53,无法用于单个进程。这进一步削弱了这种方法。

nethogs travers iptables0 和copes通过上述限制(虽然并不总是非常成功):

iptables:

可以使用 iptables iptables1 iptables2 第2层位于物理层上方,即它是在离开设备之前遇到的最后一件事包。这就是为什么,在数据链路层和在较低级别的NET堆栈中工作,BPF是一种无状态分组过滤机制,与 iptables3相比,与osi一起工作的abcdefghijklmncdefghijklmn24 第3层(更近的用户空间程序)。所以 iptables5 也可以从TCP / IP堆栈( layer 4 )获取信息。使用模块 iptables6 http://git.net_filter.org/iptables/tree/ext_filter.orgxt_owner.c"rel =" nofollow noreferrer",它基于它们的创建者uids >与套接字互动以查找数据包所有权。

iptables7 写入内核日志,可以使用 iptables8 iptables9 。应用程序的UID可以使用一些应用程序获得或从 logcat0 logcat1 logcat2

输出可以保存到文件并使用 logcat3 logcat4 logcat5 等。网络log - 虽然非常过时 - 以类似的方式工作。 afwall + 是一个基于 logcat6 的防火墙,可以记录/通知应用程序的网络应用程序被阻止时的活动。

这种方法的唯一缺点是,当存在相同的UID 时,它不能用于从一个过程中嗅探从一个过程的流量。 logcat7 无法基于PID捕获数据包。他们决定不使用 logcat8 使用进程,因为该过程在被阻止/嗅探之前启动,并且程序可以轻松地用新的PID轻松产生一个孩子,不会被阻塞/嗅探。此外,PID也被创建并作为套接字快速销毁。所以总是有流量泄露的空间。

qtaguid:

logcat9 模块不适用于传入或转发的流量,因为IP数据包不携带所有权信息。为了测量每个应用程序传入/传出网络使用,Android修补内核包含 模块。我们可以从 dumpsys1 读取统计信息。有一些shell脚本获取自动启动以来的实时数据使用:

但是在Android 9+上, dumpsys2 是用扩展 bpf(也计划到<一个href ="https://cilium.io/blog/2018/04/17/1018/04/17/11why-is-the-kernel-community-replacing -iptables/" rel ="nofollow noreferrer" >替换 Abcdefghijklmnabcdefghijklmn43 Linux内核的框架)。相关:哪个进程负责捕获数据使用情况?

iptables + tcpdump:

替代是将来自应用程序的传出流量放在 dumpsys4 组中,稍后 tcpdump从该组捕获数据包:

  dumpsys5  

这是为了确保在嗅探传出流量时,我们会更接近物理层。 但它仍然可以给出假阳性 如果在路由表中丢弃数据包/丢失。 这就是为什么嗅探器在OSI层2.甚至更好的是从外面看 使用代理/ VPN服务器或在RETETED PC上或路由器上。 但是 不会捕获每个UID / PID的流量。

其他选项:

  • 使用 dumpsys6 等诊断工具,以跟踪 dumpsys7 与进程的网络活动相关。 force_bind 和 Tracedump 也有关相同的原则。 Linux内核的审计子系统可以使用它。
  • 使用网络分类器cgroup 带 dumpsys8 dumpsys9 从某些过程中嗅探流量。
  • 使用 libpcap0 来隔离进程并根据接口读取数据使用情况。 nstrace 在相同的原理上工作。
  • 如果意图完全块源自某些过程的流量, libpcap1 libpcap2 可用于通过定义受限<代码来限制进程创建套接字的流程> libpcap3 并分别抑制 libpcap4

大多数这些都不是Android的直接可行的选择,需要高级配置。


Android的API(非根目录):

一些应用程序如 netguard 使用 vpnservice Android的API阻止在第3层(TUN接口)的流量。应用程序可以"在应用程序访问Internet" 时通知。每个应用程序捕获和跟踪( 1 , 2 )使用VPN API可以实现随着Android利用 libpcap5 libpcap6 ( 1 , 2 )来控制网络路由策略中的流量( rpdb

一些应用程序如 netlive 利用 networkstatsmanager ,但它滞后于实时使​​用," 不会快速更新足够的",它是" 意味着提供历史数据"

注意:我没有引用的任何应用程序都没有隶属关系。


相关:

  • 限制应用程序只发送互联网流量但没有收到返回?
  • 为什么从防火墙阻止它们后从应用程序中检测到网络活动?
  • 捕获Wireshark的手机流量

 

If you have rooted phone, go for nethogs (for live monitoring) or iptables (to get statistics) commandline tools. Using VPN or Android stats based apps is the only possible non-root solution. Or refer to this answer for a logcat/dumpsys based solution.


First of all, tracking a UID or PID of a network stream isn't straight forward because these aren't network related but OS related parameters. Proposals and abandoned projects do exist.

Android assigns a unique UID to every installed app just like every human user on Linux has a UID. So we can capture packets sent by a specific UID over the network interfaces to track the usage.

TCPDUMP:

Now how we can capture network traffic? Most of the network sniffers use libpcap family of system-independent libraries for this purpose. It supports BSD Packet Filter (BPF) for in-kernel packet filtering. Some popular utilities that use libpcap include tcpdump, nmap, tshark/wireshark, dumpcap, nethogs etc. Android app Network Utilities and others also make use of tcpdump.

However UID info is not propagated through the AF_PACKET/PF_PACKET channel that pcap uses at OSI Layer 2. So what we can do here is to make use of network sockets (combination of IP and port) being created and used by an app. netstat -tup or ss -tup will show all network sockets with active/established connections. Both tools are available on Android (or you can get a static binary), ss is the newer one. Socket vs. UID information can also be directly read from /proc/net/{tcp,udp}. Android app Netstat Plus works on same principle. This will provide Local Address (socket) being used by a process.

Once we know what sockets are being used by an app (UID), tcpdump -i wlan0 src <IP> and port <PORT> will dump the whole traffic originated from that process.
Similarly a remote socket (if not connected to by multiple apps) can also be used for filtering results.

LIMITATIONS:

However there are some issues with this approach:

  • Android apps usually launch more than one process at a time in parallel i.e. multiple PIDs working under same UID. So we have to capture traffic from all processes.
  • Apps keep on creating and deleting sockets. Keeping track of continuously changing sockets is almost impossible particularly when there are a large number of apps accessing network simultaneously.
  • There is - though rare - possibility that local sockets are being shared by multiple processes on UNIX-like OS's. Remote shared sockets such as UDP/53 which is used for DNS resolution cannot be tracked for a single process. This further weakens the approach.

NetHogs traverses procfs and copes with the above limitations (though not always very successful):

IPTABLES:

The above described shortcomings of a Layer 2 tool can be mitigated using iptables LOG or NFLOG. Layer 2 is just above the Physical Layer i.e. it's the last thing packets encounter before leaving the device. That's why, being at Data Link Layer and working at lower level of net stack, BPF is a kind of stateless packet filtering mechanism as compared to netfilter / iptables which works at OSI Layer 3 (nearer to userspace programs). So iptables can also get information from TCP/IP stack (Layer 4). It filters packets based on their creator UIDs using module owner that interacts with sockets to find packet ownership.

iptables writes to kernel log which can be read using dmesg or logcat. UID of an app can be obtained using some app or read from /data/system/packages.list or pm list packages -U.

# iptables -I OUTPUT -m owner --uid-owner <UID> -j LOG --log-level 7 --log-prefix 'SNIFFER: ' --log-uid # dmesg -w | grep SNIFFER 

Output can be saved to a file and formatted using tools like grep, awk, printf etc. Network Log - though very outdated - works in similar way. AFWall+ is a firewall based on iptables that can log / notify an app's network activity when the app is blocked.

The only downside with this approach is that it cannot be used to sniff traffic from one process when there are multiple processes running with same UID. iptables can't capture packets based on PIDs. They decided not to use iptables with processes because the process is started before it is blocked/sniffed, and program could easily spawn a child process with new PID which would not be blocked / sniffed. Also PIDs are created and destroyed as quick as sockets are. So there is always room for traffic being leaked.

QTAGUID:

owner module won't work for incoming or forwarded traffic because IP packets carry no ownership information. To measure per-app incoming / outgoing network usage, Android patched kernel to include qtaguid module. We can read statistics from /proc/net/xt_qtaguid/stats. With some shell scripting get live data usage since reboot:

However on Android 9+, qtaguid is being replaced with extended BPF (which is also planned to replace netfilter framework in Linux kernel). Related: Which process is responsible for capturing data usage?

IPTABLES + TCPDUMP:

An alternate is to put the outgoing traffic from an app in an NFLOG group and later tcpdump captures packets from that group:

# iptables -I OUTPUT -m owner --uid-owner 1000 -j NFLOG --nflog-group 30 # tcpdump -i nflog:30 

This is to ensure that we get closer to physical layer when sniffing outgoing traffic. But it can still give false positives e.g. if packets are dropped / lost in routing tables. That's why sniffers work at OSI layer 2. Or even better is to watch from outside e.g. using a proxy / VPN server or on a tethered PC or at router. But this won't capture traffic on per UID/PID basis.

OTHER OPTIONS:

  • Use diagnostic tools like strace to track syscalls related to network activity of a process. force_bind and tracedump also work on same principle. Linux kernel's audit subsystem can be used for the same.
  • Use Network classifier cgroup with iptables NETFILTER_XT_MATCH_CGROUP to sniff traffic from certain process(es).
  • Use Network Namespaces to isolate processes and read data usage on per interface basis. nstrace works on same principle.
  • If the intention is entirely to block traffic originating from certain processes, SELinux and seccomp can be used to restrict the processes' ability to create sockets by defining restricted policies and suppressing syscalls respectively.

Most of these are not straightforwardly viable options for Android and require advanced configurations.


ANDROID'S APIs (NON-ROOT OPTIONS):

Some apps like NetGuard use VpnService API of Android to block traffic at Layer 3 (TUN interface). The app can "notify when an application accesses the internet". Per app capturing and tracking (1, 2) is possible using VPN API as Android makes use of UIDs and SOcket_MARKs (1, 2) to control traffic in network Routing Policy (RPDB), just before leaving the device.

Some apps like NetLive make use of NetworkStatsManager, but it lags the real-time usage and "does not update quickly enough", it's "meant to provide historical data".

NOTE: I've no affiliation with any app referenced.


RELATED:

  • Restricting an app to only send internet traffic but not receive that back?
  • Why network activity is detected from apps after firewall blocks them?
  • Capturing mobile phone traffic on Wireshark
 
 
0
 
vote

如果您只想跟踪哪个应用程序执行哪个应用程序,我推荐应用程序
网显示给您。它充当本地VPN,因此能够检测所有网络流量。此外,它显示了哪个应用程序执行了网络请求(包括远程主机,端口,以及即使连接是普通的或SSL / TLS)。

因此,如果您将此应用程序结合使用您的问题中已经提到的捕获工具,您应该能够追溯每个网络连接。

 

If you only want to track which app performs connections to which server I recommend the app
Net Monitor to you. It acts as a local VPN and is therefore able to detect all network traffic. Furthermore it shows which app has performed the network request (including remote host, ports, and even if the connection is plain or SSL/TLS).

Therefore if you use this app in combination with the capture tools you already mentioned in your question you should able to trace back each and every network connection.

 
 

相关问题

7  如何为Android任务设置CPU关联  ( How to set cpu affinity for android tasks ) 
我有一个双核android设备。 是否有任何方法可以为Android任务设置CPU关联? ...

42  是否有限制背景过程的缺点或风险?  ( Are there any downsides or risks to limiting background processes ) 
我在我的三星Galaxy Grand Duos上启用了开发人员选项,然后将"限制背景处理" 选项从标准限制更改为无后台处理。 之后,我的手机正常工作,没有悬挂问题或者没有像以前没有缓慢的。 但我的怀疑是,这种变化会影响任何可能导致错误或失败的流程,更新,应用程序或任何可能吗? ...

2  为什么Dalvik虚拟机需要在每个过程中运行?  ( Why does dalvik virtual machine need to run in every process ) 
JVM和DVM都提供虚拟环境。 JVM不需要在每个过程中。 为什么DVM需要在每个过程中? 谢谢。 ...

5  根终端命令杀死或停止服务?  ( Root terminal command to kill or stop a service ) 
最新的 liveview应用程序对于我的设备,即使LiveView设备未连接,也会在状态栏上保持在状态栏上。由于我找不到任何禁用此行为的方法,我想通过Tasker为自己创建修复。我制作了它,以便在设备断开连接时终止LiveView流程。但是,虽然这成功杀死了应用程序,但在几秒钟或几分钟后,它再次启动并坐在类似于之前的...

3  “system_server” - Bluetoothphoneservice会导致高CPU使用率  ( System server bluetoothphoneservice causes high cpu usage ) 
我在Nexus 4上使用Android 5.1,几个月前将注意到电池排水量快。思考我需要将Android更新到较新版本我决定首先检查CPU使用情况,并发现进程"System_server" - BluetoothPhoneservice会导致高CPU使用率: 在其他论坛和其他有同样的论坛上进行了研究,但我没...

19  查看Android 7(Nougat)的运行进程和CPU使用情况?  ( View running processes and cpu usage in android 7 nougat ) 
在先前版本的Android时,当我的手机电池快速下降时,我可以打开一个像 OS监视器,看看使用很多CPU的过程(通常它是Evernote或Maps.me),然后杀死该过程。 但是,OS监视器和类似的应用程序不再使用Android 7,我猜是由于系统的一些变化。 所以我想知道,有一种方法可以让我看看最新版本的Andro...

0  仍然是一个谜。 Thumbdata3文件空间和性能猪  ( Still a mystery thumbdata3 file space performance hog ) 
我只是不知道如何解决这个问题。 我几乎尝试了一切并放弃了。 如果存在 abcdefghijklmn.thumbdata3 文件,我已经阅读了其他线程。占用了很多空间的文件。我的文件占用了近20 GB,我买不起那个空间浪费。 我已经做了以下事情来尝试和规避,但没有任何作品 以相同的名称创建一个空文件。 该空文件最终...

3  如何查看特定应用程序请求的网络流量?  ( How to view network traffic requested by a specific app ) 
有很多关于如何查看哪个应用程序请求网络连接的讨论。我尝试了以下应用程序: tcapturepacket wifi monitor connection tracker 但是,它们都没有有用。例如,在短时间内,我上传了一个30kb的PCAP文件,可以被视为 < / a>。我仍然没有找到哪个应用程序请求连接以及...

3  Android 4.0.3迟缓:NANDD进程劫持CPU  ( Android 4 0 3 sluggish nandd process hogging cpu ) 
我有一个Allwinner A10平板电脑克隆。在平板电脑上"冻结" 定期,但在2到15秒之间的时间间隔时间不会太过频繁。描述了不同的描述:平板电脑是可用的,但漂亮的"液体" 工作流程突然瞬间中断... 情况: e .g。在Firefox中打开一个额外的选项卡,当已经打开时, 在下载文件时使用平板电脑时,这些冻...

1  未启用的应用程序条目出现在电池历史记录中。可疑的?  ( Unlabled app entries appearing in battery history suspicious ) 
今天早上我注意到我的电池历史中的奇怪的无标题条目,我以前从未见过。我也不确定为什么一些行没有显示百分比。 (点击时,条目详细信息视图显示百分比。)条目具有与Android OS条目相同的代码/齿轮图标: 相同的图标 条目/详细/与Android操作系统相同/相同的图标(点击较大变体的图像) 这些不是在现在的...




© 2022 it.wenda123.org All Rights Reserved. 问答之家 版权所有