常见的抓包大致分两类:
- wireshark
啥包都能抓,唯一的缺点是无法解密tls流量,可以设置环境变量SSLKEYLOGFILE,但这种方式只能解密浏览器发起的https,对于某些应用内的请求还是没法解密。 - fiddler
安装中间人证书(自签),解密https流量,对外会开放一个代理,发起请求时指定该代理就能抓包
但某些情况下,我面临的场景是这样的:
- 接口采用了https
- 不是浏览器请求,而是应用内置请求
- 没法指定代理,也没走全局代理
- 部分请求需要梯子
这种情况下,上面的抓包方案就不行了,根本原因是某些请求无法应用代理。
这里分享一种可行的抓包方案:
利用tun虚拟网卡,在网络层就拦截请求,再交给指定的代理进行抓包
举个例子,我直接用singbox的tun,贴个配置:
tun.json
{
"log": {
"level": "info",
"timestamp": true
},
"dns": {
"servers": [
{
"tag": "remote",
"address": "1.1.1.1"
}
]
},
"inbounds": [
{
"type": "tun",
"inet4_address": "172.19.0.1/30",
"auto_route": true,
"strict_route": true,
"stack": "gvisor",
"sniff": true
}
],
"outbounds": [
{
"type": "http",
"tag": "proxy",
"server": "127.0.0.1",
"server_port": 1081
},
{
"type": "direct",
"tag": "direct_out"
},
{
"type": "dns",
"tag": "dns_out"
}
],
"route": {
"auto_detect_interface": true,
"rules": [
{
"process_name": [
"sing-box.exe"
],
"outbound": "direct_out"
},
{
"protocol": "dns",
"outbound": "dns_out"
}
]
}
}
其中1081端口为采用中间人攻击抓包的代理端口,可以用mitmweb、fiddler等工具
这里贴个mitmweb的命令行:
mitmweb --listen-port=1081 --mode=upstream:http://127.0.0.1:1080
其中,1080端口为代理分流端口,
如果不需要分流可以去掉这个参数
如果需要分流,我这里给个singbox的参考分流配置(独立运行的第二个singbox,和上面的tun区分开来):
config.json
{
"log": {
"level": "info",
"timestamp": true
},
"inbounds": [
{
"type": "mixed",
"listen": "::",
"listen_port": 1080,
"sniff": false
}
],
"outbounds": [
{
"type": "socks",
"tag": "proxy",
"server": "127.0.0.1",
"server_port": 10808
},
{
"type": "direct",
"tag": "direct"
}
],
"route": {
"rules": [
{
"ip_is_private": true,
"outbound": "direct"
},
{
"rule_set": "geoip-cn",
"outbound": "direct"
},
{
"rule_set": "geoip-us",
"rule_set_ipcidr_match_source": true,
"outbound": "proxy"
}
],
"rule_set": [
{
"tag": "geoip-cn",
"type": "remote",
"format": "binary",
"url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs",
"download_detour": "proxy"
},
{
"tag": "geoip-us",
"type": "remote",
"format": "binary",
"url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-us.srs",
"download_detour": "proxy"
}
]
}
}
其中outbound中的proxy可以自行设置为自己的梯子节点
PS:
- 为了不形成流量环路,我是这样做的,复制一个sing-box.exe,重命名成tun.exe,
启动tun时这样执行:tun.exe run -c tun.json
另一个singbox这样执行:sing-box.exe run -c config.json
tun.json里会自动排除sing-box.exe 进程产生的流量避免流量环路,如果你的梯子不是用sing-box内核,可以在加个route.rule里面自己加白名单- 另外,我建议tun放在在最后启动