Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How can I capture websocket traffic

See original GitHub issue

Hi, I know that mitmproxy doesn’t support websocket, but I would like to know if there is a way to have the dump file of the traffic from a websocket.

This is my scenario: I initially receive real time data from a website in a browser page, I use the sniffer ( like this http://www.freeproject.co.in/source/Network-Packet-Sniffer.aspx?pf=Java&t=web or http://packetsnifferusingjpcap.blogspot.it/ which write on file all tcp/ip traffic that passes through the network interface from a given ip address) in order to get data and send it to a custom program . Now my data provider supply the data using ssl (https), then my sniffer doesn’t receive decrypted data in clear. To connect to my provider I must provide user, password and then in a new page a temporarily generated key code, then the browser open a web page related to an address xxx.yyy.nnn.zzz (without https prefix) which show realtime data. Using wireshark and the instruction provided in https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets/16415/ I’m able to decrypt ssl page.

This is a sample data decrypted using wireshark:

GET / HTTP/1.1
Host: serverpush.dot.it:7072
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Sec-WebSocket-Version: 13
Origin: https://severdata.dot.it
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: 1VkXxdjYOBuOjfa+gAQ91A==
Cookie: _ga=GA1.2.458778788.1410278708; _gat=1; _gali=Avanti
Connection: keep-alive, Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: fIKoaTEDrGcC8Qyxt5bppaevP9U=

...t...t.a.7...I...F...C...M...D...........F...................M...B...L.......~.......
RESULT=ACK
....5h..0m..s!..p:..q"...;...X.....8...=...~.B.}.3.|.G...^.......T.C.W.F.FP
..S..gR..w%..a&s...t...v...t...8...I...=...$...~.J.....C3DJI;0=16391.69;1=1.4877;4=104196873;20=2511792525067.33;7=21:52:35
.B.....;3SP500;0=1923.67;4=637246226;20=1677783824894.07;7=21:52:35
..L...N...L.......q...........
.......
...F...7...C...O......a...E...(...3...5...5....s..Cq..bs..
?...N...:...6......Y...{........... ... ...J.....DATA1I;0=16391.28;1=1.4851;4=104210258;20=2511792541458.61;7=21:52:36
.-.....&DATA2;4=637298282;20=1677783826817.68
.+.....$DATA2;0=1923.61;1=1.7632;7=21:52:36
..cq>.ar;.cQxU/%{N^BzV*R O3D.,@BxH04sU!R X)84........ ...N.Y.M.(.L.\.;.E.8.6.N.F.E.W.;._...J.....DATA1I;0=16389.91;1=1.4767;4=104222192;20=2511792557848.52;7=21:52:37
.K.....DATA2;0=1923.48;1=1.7564;4=637378052;20=1677783828741.16;7=21:52:37

According to what above reported it appears that the transfer of data is done through websocket

Is it possible to get this data using mitmproxy in order to have a live stream on a file ?

Issue Analytics

State:
Created 8 years ago
Comments:13 (3 by maintainers)

Top GitHub Comments

11reactions

mckelvincommented, Jan 30, 2019

Thanks @Kriechi for the links. Here’s a workable POC:

Save the following file as foobar.py:

#!mitmdump -s

import mitmproxy.addonmanager
import mitmproxy.connections
import mitmproxy.http
import mitmproxy.log
import mitmproxy.tcp
import mitmproxy.websocket
import mitmproxy.proxy.protocol


class SniffWebSocket:
    def __init__(self):
        pass

    # Websocket lifecycle
    def websocket_handshake(self, flow: mitmproxy.http.HTTPFlow):
        """
            Called when a client wants to establish a WebSocket connection. The
            WebSocket-specific headers can be manipulated to alter the
            handshake. The flow object is guaranteed to have a non-None request
            attribute.
        """

    def websocket_start(self, flow: mitmproxy.websocket.WebSocketFlow):
        """
            A websocket connection has commenced.
        """

    def websocket_message(self, flow: mitmproxy.websocket.WebSocketFlow):
        """
            Called when a WebSocket message is received from the client or
            server. The most recent message will be flow.messages[-1]. The
            message is user-modifiable. Currently there are two types of
            messages, corresponding to the BINARY and TEXT frame types.
        """
        for flow_msg in flow.messages:
            packet = flow_msg.content
            print("TODO: decode the packet here: %r..." % packet[:100])

    def websocket_error(self, flow: mitmproxy.websocket.WebSocketFlow):
        """
            A websocket connection has had an error.
        """

    def websocket_end(self, flow: mitmproxy.websocket.WebSocketFlow):
        """
            A websocket connection has ended.
        """

addons = [
    SniffWebSocket()
]

Running ./foobar.py or mitmdump -s foobar.py will start a http proxy on :8080 . You’ll see the traffic in the terminal.

3reactions

Kriechicommented, Mar 11, 2018

@pranaygp: please take a look at our docs: https://docs.mitmproxy.org/master/concepts-protocols/#websocket and the websocket_* events: https://docs.mitmproxy.org/master/addons-events/#supported-events