Hello Everybody,
My question is, is there a way to store traffic in pcap format, and if not what is the best option to log post data?
With option -w/-a all html traffic is logged, we can replay it with mitmdump but my aim is only at filtering sensitive logged data from post requests. Is the only alternative to write a script for that?
Thanks in advance,
Phackt.
I would just use Wireshark next to mitmproxy for that. mitmproxy can log TLS master secrets so that Wireshark can decrypt TLS packets.
By filtering, you mean “only store/save/persist flows which are POST requests”? The first thing you can do is only save flows that match a certain pattern, e.g. by using mitmdump’s filter argument: mitmdump -w dump.mitm '~m POST' (or mitmdump -r dump.mitm -w dump-filtered.mitm '~m POST'. Depending on how small you want things to become, you can also delete the corresponding response or only the response body.
Does that make sense?
Yeah thanks Maximilian, also i just read that objects are dumped thanks to tnetstrings. My purpose is just to save headers in order to minimize log files, i think ~m [post|get] ~h will do the trick for post and get requests/responses.
Phackt.
You are misunderstanding filters here. We are always saving full flows, you can just filter which ones are saved based on a header value. This will not limit the dump file to headers only.
Ok thanks Maximilian so i will look how to process dump files on my side to extract only headers information.
You can use PolarProxy (another free TLS proxy) if you wanna save the decrypted TLS traffic in a PCAP file.
https://www.netresec.com/?page=PolarProxy