Skip to main content

Application-Scoped Traffic Acquisition Pipeline — capture only one application's network traffic, scoped by its Linux UID.

Project description

AppTap Logo

Application-Scoped Traffic Acquisition Pipeline

Capture only one app's network traffic — scoped by its Linux UID.

AppTap

version PyPI version Publish status Lint

Capture only one application's network traffic, scoped by its Linux UID, using the kernel's authoritative knowledge of which UID owns each socket — something tcpdump/BPF alone cannot do (UID is a socket property, absent from the wire).

AppTap is both an importable library and a standalone CLI tool. It acquires an app-scoped pcap (plus the matching connection set). It deliberately does not decrypt TLS or handle keys — that is the consumer's job (e.g. friTap, which embeds decryption keys onto AppTap's pcap).

How it works — two tiers, auto-selected

Two kernel mechanisms can scope capture by UID, and neither is universally available, so AppTap probes and picks the best one at runtime:

  • Tier 1 — interface capture + kernel socket-table UID filter (robust default). Capture on the interface, then keep only packets whose 5-tuple belongs to the target UID(s), resolved from the kernel's authoritative socket→UID table (SOCK_DIAG / /proc/net/{tcp,tcp6,udp,udp6}). Works on every Android/Linux version.
  • Tier 2 — iptables owner + CONNMARK + NFLOG in-kernel pre-filter (opportunistic). The kernel selects only the app's packets and copies them to userspace. Cleanest and most private, but depends on the kernel's nfnetlink_log delivery, which is disabled on most stock Android 12–14 GKI kernels. Used only where a capability probe (plus a delivery liveness check) confirms it works.

Requires root on the target (Android: rooted device + adb; Linux: root/sudo).

Install

pip install AppTap

CLI

apptap com.example.app --device <serial> -o app.pcap        # Android (adb)
apptap 1234 --local -o app.pcap                             # Linux (pid)
apptap com.example.app --device <serial> --tier sockdiag --strict -d 30
apptap --probe   --device <serial>                          # report capabilities + chosen tier
apptap --cleanup --device <serial>                          # remove any leftover APPTAP_* rules

Library

import apptap

result = apptap.capture(
    target=apptap.Target(package="com.example.app"),
    executor=apptap.AdbExecutor(device_id="<serial>"),   # or apptap.LocalExecutor()
    output="app.pcap",
    breadth=apptap.Breadth.APP_ISOLATED_DNS,             # default
    tier=apptap.Tier.AUTO,
)
print(result.tier, result.uids, result.pcap_path)

Drive the lifecycle yourself (capture while you run/instrument the app):

with apptap.CaptureSession(target=..., executor=..., output="app.pcap") as cap:
    cap.start()
    ...            # launch the app / attach your instrumentation
    cap.stop()
result = cap.result

Bring your own transport by implementing the apptap.Executor protocol (or wrapping an existing one): AppTap runs every command through it, so it can reuse a host tool's adb/root plumbing.

License

MIT © Daniel Baier

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

apptap-0.2.0.tar.gz (5.4 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

apptap-0.2.0-py3-none-any.whl (5.2 MB view details)

Uploaded Python 3

File details

Details for the file apptap-0.2.0.tar.gz.

File metadata

  • Download URL: apptap-0.2.0.tar.gz
  • Upload date:
  • Size: 5.4 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for apptap-0.2.0.tar.gz
Algorithm Hash digest
SHA256 4db12e2a12f75d343655031aa6ecab06d2e94c0153c34e873edfee4081f05ff7
MD5 9c5c49d598b11a65318416a6d7ae7f56
BLAKE2b-256 8204bfbc3f7b3a8fc40ce0fd95a59fa8cba113ff54e86ef03a7c78fd07715342

See more details on using hashes here.

Provenance

The following attestation bundles were made for apptap-0.2.0.tar.gz:

Publisher: publish.yml on monkeywave/AppTap

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file apptap-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: apptap-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 5.2 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for apptap-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 a7da6b8274cfdd050f365b690194e0e6f1aceb3879ae68a5a155860c916d9109
MD5 79544d2fc8c37844aee78ab527a8a1d8
BLAKE2b-256 f60a9e59eebc6a4847e419a7d520a02bff40369da2beb46591b8644a9dd9ba92

See more details on using hashes here.

Provenance

The following attestation bundles were made for apptap-0.2.0-py3-none-any.whl:

Publisher: publish.yml on monkeywave/AppTap

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page