When the packet capture tool first starts, the interface is empty, but as soon as you open an app or refresh a page, it quickly becomes like this:
- Hundreds of requests
- A continuously scrolling list
- Multiple domains appearing interleaved
Without filtering methods, it’s difficult to find the target interface from this.
First, Clean Up the Environment
When capturing packets for the first time, an easy step to overlook is clearing the history.
In Charles, SniffMaster, or Proxyman:
- Click the clear button (Clear Session)
- Confirm the list is empty
- Pause app operations
Next, only trigger the target operation once, such as clicking the “Login” button.
Observe the Changes
At this point, the packet capture list will show a small batch of requests, for example:
- Login interface
- Accompanying configuration requests
- A few CDN resources
The number is significantly reduced, allowing analysis to begin.
Narrow the Scope First by Filtering by Domain
If there are still many requests, you can first filter by domain.
In Charles:
- View the domain list on the left
- Find domains related to the business
- Click to expand
For example:
api.example.com
Only view requests under this domain, which can remove:
- Image resources
- Third-party analytics
- CDN requests
Use Filters to Locate the Interface
Proxy packet capture tools generally provide filtering functions.
For example, in Charles:
- Enter a keyword in the Filter
- Input part of the interface path
For example:
/login
The list will only show matching requests.
Observe the Changes
After filtering, you can directly see:
- Request method
- Request parameters
- Response data
If the interface path is uncertain, you can first observe the URL structure and then adjust the keyword.
Reduce Interference in Mobile Device Packet Capture
When capturing packets on iOS, traffic tends to be more because it includes:
- System service requests
- DNS queries
- Apple background services
If capturing directly, it’s hard to filter.
Use SniffMaster to Filter by App
In SniffMaster, you can directly filter by app.
Steps:
- Connect iPhone (via USB)
- Start SniffMaster
- Enter the packet capture interface
- Click Select App
- Check the target application
- Start capturing packets
Observe the Changes
The packet capture list will only show traffic from that app:
- No longer includes system requests
- No longer includes traffic from other apps
At this point, the data volume is significantly reduced.
Further Filter by Request Type
If the target interface belongs to a specific type, you can continue filtering.
For example:
- Only view POST requests
- Only view JSON data
Set filtering conditions in the packet capture tool:
- Method = POST
- Content-Type = application/json
This can quickly locate interface calls.
Combine Sorting to Find Key Requests
When there are still many requests, you can use sorting functions.
For example:
- Sort by time
- Sort by data size
In some interfaces:
- Login interfaces return larger data
- Configuration interfaces return JSON
By sorting, you can find these requests faster.
Handle Continuously Refreshing Traffic
Some apps continuously send requests, for example:
- Heartbeat packets
- Long connections
- Real-time data refreshes
In such cases, you can:
- First stop packet capture
- Clear the data
- Start capturing packets again
- Immediately trigger the target operation
Avoid historical traffic interfering with analysis.
When facing the situation of “too much traffic,” you can operate in this order:
- Clear packet capture records
- Only trigger the target operation once
- Narrow the scope by filtering by domain
- Use keyword filtering
- If necessary, filter by app
- Use time or sorting to assist in locating
Reference link: https://www.sniffmaster.net/blog/132