Capture Local Traffic UX: mitmdump UX

[mhils]

Background

Starting with mitmproxy 9, WireGuard mode can be used to transparently proxy devices or even individual applications on Android. This is much simpler to set up than a traditional iptables-based proxy and a great UX win. 🎉 However, it does not help with inspecting applications running on the same device as mitmproxy.

Capturing local processes

To make it simpler to intercept local processes, @emanuele-em, @decathorpe and I are currently working on platform-specific
methods to redirect traffic to mitmproxy. The primary objective is that users should be able to say "intercept curl.exe", and all local cURL processes will be transparently intercepted by mitmproxy. Secondly, users should also be able to say "intercept all traffic on this machine".

The great news is that we've already finished the raw Windows and macOS functionality for this over in mitmproxy_rs over the last couple of months. The question now is how the UI and UX for this should look like. For this issue I'd like to focus on mitmdump usage, with mitmweb and mitmproxy coming later. I'm naturally a bit professionally blinkered at this point, so feedback from anyone is welcome!

Non-Interactive Command-Line Usage

mitmproxy is often used noninteractively using the mitmdump tool. For example, mitmdump --mode reverse:https://example.com starts a reverse proxy to example.com. How should a mitmdump command line invocation for "intercept curl.exe on the current device" look like?

Some proposals:

# Capture all traffic
mitmdump --mode capture-local
mitmdump --mode local
mitmdump --mode osproxy
# Capture a specific process
mitmdump --mode capture-local:curl
mitmdump --mode local:curl
mitmdump --mode osproxy:curl
mitmdump --mode osproxy --app curl

@mitmproxy/devs and everyone else: Any preferences? Any ideas for better terms / better UX here?

[emanuele-em]

from the proposals my preference goes to

# All traffic
mitmdump --mode local
# Specific
mitmdump --mode local:curl

but maybe to have clearer filters it would be better to have something like:

# Specific
mitmdump --mode local --app curl
mitmdump --mode local --pid 7256
mitmdump --mode local --domain github.com 

---

Possible alternatives

# Capture all traffic
mitmdump --mode self
mitmdump --mode self-capture

[mhils]

# Specific
mitmdump --mode local --app curl
mitmdump --mode local --pid 7256
mitmdump --mode local --domain github.com 

That implicitly raises the question what we want to filter on. Domain is extremely hard because that can only be derived reliably from stream contents, which we don't have initially. So I would prefer we don't do that at this layer (one can still use ignore_domains). PID is currently supported by the Windows redirector, but not sure if that's super useful in general. Maybe just app name is really what we want?

[emanuele-em]

Maybe just app name is really what we want?

However, I see the app specification as an actual filter to be applied to the generic case (of intercepting all processes) and using a separate argument seems (to me) more flexible even in view of possible future changes BUT It depends on how important it is to filter packets at this level (maybe not much except for the case of apps)

[meitinger]

At the risk of capturing too much and throwing away a lot, wouldn't it be more flexible to store the application information in the flow and provide a filter for it, e.g. ~app regex?
Since there already is OS specific code parsing PE version information, we could then have something like ! (~app.company Microsoft) or ! (~app.product *Windows*) filtering out noise. I'd be happy to work on that, btw. :)

If that's too much change on the Python side or too much capture overhead, maybe go the other direction and allow a filter expression for the local mode, perhaps - to not confuse it with the flow filters - in WireShark syntax?

[mhils]

This is a bit tangential, but we're already passing the application info to mitmproxy (here), and I'd like to implement something like ~app filters in mitmproxy as well. But I think we need something before that, piping everything on the system through mitmproxy will be a hard-to-fix performance issue in some cases.

So yes, we are pretty much creating a new filter syntax here. For example, in mitmdump --mode local:curl,wget, curl,wget is the filter. But I want those filters to be as simple as possible for now, i.e. either a comma-separated list of applications to include or a "catch all" mode. In mitmweb we will only display a process list (without text-based filter input). Maybe we can extend that later, but for now let's keep it as simple as possible. :)

[meitinger]

In that case I concur with @emanuele-em's preferences above.

I'd too argue for supporting PIDs, though. That would allow to target a specific instance of, say, svchost.exe or a sandboxed Chromium-based browser tab/worker. So if a name is an integer, maybe treat it as PID? (where available)

(PS: If that raises the question "What if the executable name is an integer?" my answer would be "What if the executable name contains a comma?" :)

[mhils]

So if a name is an integer, maybe treat it as PID? (where available)

This is how the Windows implementation works already. :)