Skip to main content

Application-Scoped Traffic Acquisition Pipeline — capture only one application's network traffic, scoped by its Linux UID.

Project description

AppTap Logo

Application-Scoped Traffic Acquisition Pipeline

Capture only one app's network traffic — scoped by its Linux UID.

AppTap

version PyPI version Publish status Lint

Capture only one application's network traffic, scoped by its Linux UID, using the kernel's authoritative knowledge of which UID owns each socket — something tcpdump/BPF alone cannot do (UID is a socket property, absent from the wire).

AppTap is both an importable library and a standalone CLI tool. It acquires an app-scoped pcap (plus the matching connection set). It deliberately does not decrypt TLS or handle keys — that is the consumer's job (e.g. friTap, which embeds decryption keys onto AppTap's pcap).

How it works — two tiers, auto-selected

Two kernel mechanisms can scope capture by UID, and neither is universally available, so AppTap probes and picks the best one at runtime:

  • Tier 1 — interface capture + kernel socket-table UID filter (robust default). Capture on the interface, then keep only packets whose 5-tuple belongs to the target UID(s), resolved from the kernel's authoritative socket→UID table (SOCK_DIAG / /proc/net/{tcp,tcp6,udp,udp6}). Works on every Android/Linux version.
  • Tier 2 — iptables owner + CONNMARK + NFLOG in-kernel pre-filter (opportunistic). The kernel selects only the app's packets and copies them to userspace. Cleanest and most private, but depends on the kernel's nfnetlink_log delivery, which is disabled on most stock Android 12–14 GKI kernels. Used only where a capability probe (plus a delivery liveness check) confirms it works.

Requires root on the target (Android: rooted device + adb; Linux: root/sudo).

Install

pip install AppTap

CLI

apptap com.example.app --device <serial> -o app.pcap        # Android (adb)
apptap 1234 --local -o app.pcap                             # Linux (pid)
apptap com.example.app --device <serial> --tier sockdiag --strict -d 30
apptap --probe   --device <serial>                          # report capabilities + chosen tier
apptap --cleanup --device <serial>                          # remove any leftover APPTAP_* rules

Library

import apptap

result = apptap.capture(
    target=apptap.Target(package="com.example.app"),
    executor=apptap.AdbExecutor(device_id="<serial>"),   # or apptap.LocalExecutor()
    output="app.pcap",
    breadth=apptap.Breadth.APP_ISOLATED_DNS,             # default
    tier=apptap.Tier.AUTO,
)
print(result.tier, result.uids, result.pcap_path)

Drive the lifecycle yourself (capture while you run/instrument the app):

with apptap.CaptureSession(target=..., executor=..., output="app.pcap") as cap:
    cap.start()
    ...            # launch the app / attach your instrumentation
    cap.stop()
result = cap.result

Bring your own transport by implementing the apptap.Executor protocol (or wrapping an existing one): AppTap runs every command through it, so it can reuse a host tool's adb/root plumbing.

License

MIT © Daniel Baier

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

apptap-0.3.0.tar.gz (5.4 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

apptap-0.3.0-py3-none-any.whl (5.2 MB view details)

Uploaded Python 3

File details

Details for the file apptap-0.3.0.tar.gz.

File metadata

  • Download URL: apptap-0.3.0.tar.gz
  • Upload date:
  • Size: 5.4 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for apptap-0.3.0.tar.gz
Algorithm Hash digest
SHA256 2ae43f671857cd18cd834e1bb078233e59dc7a00ed58364a2c48dc5f41bdef78
MD5 2a0fa6d5c3b95e6b506ab284ebed2f88
BLAKE2b-256 76da5869cccbfbe92916876ec104a0a105abeee8e90437797c867019bdcfa0a0

See more details on using hashes here.

Provenance

The following attestation bundles were made for apptap-0.3.0.tar.gz:

Publisher: publish.yml on monkeywave/AppTap

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file apptap-0.3.0-py3-none-any.whl.

File metadata

  • Download URL: apptap-0.3.0-py3-none-any.whl
  • Upload date:
  • Size: 5.2 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for apptap-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 4efcf7ca8f0fb2aa1d456beb91a9f28f58ef0877f69e118b55a792801d0ebc40
MD5 5b80c70c6998a963649176f3af67dd3e
BLAKE2b-256 bf97e23c5804254190d0bd176a1f7d9eba91ecb7da95f11b20b4a56d2fdbeede

See more details on using hashes here.

Provenance

The following attestation bundles were made for apptap-0.3.0-py3-none-any.whl:

Publisher: publish.yml on monkeywave/AppTap

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page