Application-Scoped Traffic Acquisition Pipeline — capture only one application's network traffic, scoped by its Linux UID.
Project description
Capture only one app's network traffic — scoped by its Linux UID.
AppTap
Capture only one application's network traffic, scoped by its Linux UID, using the kernel's
authoritative knowledge of which UID owns each socket — something tcpdump/BPF alone cannot do (UID
is a socket property, absent from the wire).
AppTap is both an importable library and a standalone CLI tool. It acquires an app-scoped pcap (plus the matching connection set). It deliberately does not decrypt TLS or handle keys — that is the consumer's job (e.g. friTap, which embeds decryption keys onto AppTap's pcap).
How it works — two tiers, auto-selected
Two kernel mechanisms can scope capture by UID, and neither is universally available, so AppTap probes and picks the best one at runtime:
- Tier 1 — interface capture + kernel socket-table UID filter (robust default). Capture on the
interface, then keep only packets whose 5-tuple belongs to the target UID(s), resolved from the
kernel's authoritative socket→UID table (
SOCK_DIAG//proc/net/{tcp,tcp6,udp,udp6}). Works on every Android/Linux version. - Tier 2 —
iptablesowner + CONNMARK + NFLOG in-kernel pre-filter (opportunistic). The kernel selects only the app's packets and copies them to userspace. Cleanest and most private, but depends on the kernel'snfnetlink_logdelivery, which is disabled on most stock Android 12–14 GKI kernels. Used only where a capability probe (plus a delivery liveness check) confirms it works.
Requires root on the target (Android: rooted device + adb; Linux: root/sudo).
Install
pip install AppTap
CLI
apptap com.example.app --device <serial> -o app.pcap # Android (adb)
apptap 1234 --local -o app.pcap # Linux (pid)
apptap com.example.app --device <serial> --tier sockdiag --strict -d 30
apptap --probe --device <serial> # report capabilities + chosen tier
apptap --cleanup --device <serial> # remove any leftover APPTAP_* rules
Library
import apptap
result = apptap.capture(
target=apptap.Target(package="com.example.app"),
executor=apptap.AdbExecutor(device_id="<serial>"), # or apptap.LocalExecutor()
output="app.pcap",
breadth=apptap.Breadth.APP_ISOLATED_DNS, # default
tier=apptap.Tier.AUTO,
)
print(result.tier, result.uids, result.pcap_path)
Drive the lifecycle yourself (capture while you run/instrument the app):
with apptap.CaptureSession(target=..., executor=..., output="app.pcap") as cap:
cap.start()
... # launch the app / attach your instrumentation
cap.stop()
result = cap.result
Bring your own transport by implementing the apptap.Executor protocol (or wrapping an existing one):
AppTap runs every command through it, so it can reuse a host tool's adb/root plumbing.
License
MIT © Daniel Baier
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file apptap-0.3.0.tar.gz.
File metadata
- Download URL: apptap-0.3.0.tar.gz
- Upload date:
- Size: 5.4 MB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2ae43f671857cd18cd834e1bb078233e59dc7a00ed58364a2c48dc5f41bdef78
|
|
| MD5 |
2a0fa6d5c3b95e6b506ab284ebed2f88
|
|
| BLAKE2b-256 |
76da5869cccbfbe92916876ec104a0a105abeee8e90437797c867019bdcfa0a0
|
Provenance
The following attestation bundles were made for apptap-0.3.0.tar.gz:
Publisher:
publish.yml on monkeywave/AppTap
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
apptap-0.3.0.tar.gz -
Subject digest:
2ae43f671857cd18cd834e1bb078233e59dc7a00ed58364a2c48dc5f41bdef78 - Sigstore transparency entry: 2059018517
- Sigstore integration time:
-
Permalink:
monkeywave/AppTap@1c78e54d8b7de24f577ee4dc953089eaf577dd5c -
Branch / Tag:
refs/heads/main - Owner: https://github.com/monkeywave
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@1c78e54d8b7de24f577ee4dc953089eaf577dd5c -
Trigger Event:
push
-
Statement type:
File details
Details for the file apptap-0.3.0-py3-none-any.whl.
File metadata
- Download URL: apptap-0.3.0-py3-none-any.whl
- Upload date:
- Size: 5.2 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4efcf7ca8f0fb2aa1d456beb91a9f28f58ef0877f69e118b55a792801d0ebc40
|
|
| MD5 |
5b80c70c6998a963649176f3af67dd3e
|
|
| BLAKE2b-256 |
bf97e23c5804254190d0bd176a1f7d9eba91ecb7da95f11b20b4a56d2fdbeede
|
Provenance
The following attestation bundles were made for apptap-0.3.0-py3-none-any.whl:
Publisher:
publish.yml on monkeywave/AppTap
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
apptap-0.3.0-py3-none-any.whl -
Subject digest:
4efcf7ca8f0fb2aa1d456beb91a9f28f58ef0877f69e118b55a792801d0ebc40 - Sigstore transparency entry: 2059018739
- Sigstore integration time:
-
Permalink:
monkeywave/AppTap@1c78e54d8b7de24f577ee4dc953089eaf577dd5c -
Branch / Tag:
refs/heads/main - Owner: https://github.com/monkeywave
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@1c78e54d8b7de24f577ee4dc953089eaf577dd5c -
Trigger Event:
push
-
Statement type: