Quick Start Guide¶

Get up and running with friTap in minutes! This guide covers the most common use cases and essential commands.

Basic Usage Patterns¶

friTap operates in two main modes:

Key Extraction Mode: Extract TLS keys for offline analysis
Live Decryption Mode: Decrypt and capture traffic in real-time

Key Extraction

In general, friTap’s key extraction -k <keylogfile> mode is better supported than its live decryption mode.

Desktop Applications¶

Extract TLS Keys¶

# Extract keys from Firefox
sudo fritap -k firefox_keys.log firefox

# Extract keys from a specific process ID
sudo fritap -k keys.log --pid 1234

Capture Decrypted Traffic¶

# Capture decrypted traffic as PCAP
sudo fritap --pcap decrypted.pcap firefox

# Combine key extraction and PCAP capture
sudo fritap -k keys.log --pcap traffic.pcap firefox

Live Analysis¶

# Display decrypted traffic in terminal
sudo fritap firefox

# Verbose output with debugging
sudo fritap -v firefox

Mobile Applications¶

Android Analysis¶

# Extract keys from Android app
fritap -m -k keys.log com.example.app

# Capture decrypted traffic
fritap -m --pcap decrypted.pcap com.example.app

# Spawn app and analyze from start
fritap -m -f com.example.app

iOS Analysis¶

# Extract keys from iOS app
fritap -m -k keys.log com.example.app

# Analyze running app
fritap -m --pcap decrypted.pcap com.example.app

Common Command Patterns¶

Process Selection¶

# By process name
fritap firefox

# By process ID
fritap 1234

# By package name (mobile)
fritap -m com.example.app

# List running processes
frida-ps

Output Options¶

# Save keys to file
fritap -k output.log target

# Save PCAP to file
fritap --pcap output.pcap target

# Save session metadata as JSON
fritap --json metadata.json target

# Display output in terminal
fritap target

# Combine all output formats
fritap -k keys.log --pcap traffic.pcap --json metadata.json target

Advanced Options¶

# Enable verbose logging
fritap -v target

# Debug output
fritap -do target

# Disable colors
fritap --no-color target

# Set custom timeout
fritap --timeout 30 target

Practical Examples¶

Example 1: Analyze Web Browser Traffic¶

# Start Firefox and capture comprehensive data
sudo fritap -k firefox_keys.log --pcap firefox_traffic.pcap --json firefox_metadata.json firefox

# Open Firefox, browse to websites
# Press Ctrl+C to stop capture

# Analyze results
wireshark firefox_traffic.pcap  # View decrypted traffic
cat firefox_metadata.json | jq '.statistics'  # View session statistics

Example 2: Mobile App Analysis¶

# Connect Android device
adb devices

# Start frida-server on device
adb shell su -c "/data/local/tmp/frida-server &"

# Analyze Instagram app with comprehensive logging
fritap -m -k instagram_keys.log --json instagram_metadata.json com.instagram.android

# Open Instagram app and use it
# Keys will be saved to instagram_keys.log
# Session data will be saved to instagram_metadata.json

# Analyze the results
cat instagram_metadata.json | jq '.connections[] | {dst_addr, data_length}'

Example 3: Malware Analysis¶

# Run malware sample in isolated environment with full logging
sudo fritap -k malware_keys.log --pcap malware_traffic.pcap --json malware_analysis.json ./malware_sample

# Analyze captured data
wireshark malware_traffic.pcap  # Visual analysis
cat malware_analysis.json | jq '.connections, .errors'  # Programmatic analysis

Working with Output Files¶

TLS Key Files¶

Key files use the NSS Key Log format:

# Example content of keys.log
CLIENT_RANDOM 52345678... ABCDEF123456...
CLIENT_RANDOM 87654321... FEDCBA654321...

Usage with Wireshark: 1. Open Wireshark 2. Go to Edit → Preferences 3. Navigate to Protocols → TLS 4. Set "Pre-Master-Secret log filename" to your key file 5. Load your network capture

PCAP Files¶

PCAP files contain decrypted network traffic:

# View with tcpdump
tcpdump -r decrypted.pcap

# Analyze with Wireshark
wireshark decrypted.pcap

# Extract specific protocols
tcpdump -r decrypted.pcap 'port 443'

Live Analysis with Wireshark¶

friTap supports live analysis with Wireshark through named pipes:

# Linux/macOS
fritap -l target

# Windows
fritap --live target

# Then open Wireshark:
# File → Open → Select the named pipe

Common Scenarios¶

Scenario 1: API Analysis¶

# Mobile app making API calls
fritap -m -k api_keys.log --json api_metadata.json com.example.app

# Desktop application with comprehensive logging
sudo fritap -k api_keys.log --pcap api_traffic.pcap --json api_analysis.json python api_client.py

# Analyze API endpoints
cat api_metadata.json | jq '.connections[] | .dst_addr' | sort | uniq

Scenario 2: Certificate Pinning Bypass¶

# Analyze app with certificate pinning
fritap -m --enable_default_fd --pcap pinned_traffic.pcap --json pinning_analysis.json com.example.app

# Check for pinning bypass indicators
cat pinning_analysis.json | jq '.errors[] | select(.type == "ssl_error")'

Scenario 3: Multi-Process Analysis¶

# Capture subprocess traffic with detailed logging
fritap --enable_spawn_gating --pcap all_traffic.pcap --json process_tree.json parent_process

# Analyze process spawn patterns
cat process_tree.json | jq '.connections[] | {timestamp, dst_addr}' | head -10

Troubleshooting Quick Fixes¶

No Traffic Captured¶

# Use default socket information
fritap --enable_default_fd target

# Enable spawn gating for subprocesses
fritap --enable_spawn_gating target

# Full packet capture mode
fritap --full_capture target

Permission Issues¶

# Linux/macOS
sudo fritap [options] target

# Windows (run as Administrator)
fritap [options] target

Mobile Connection Issues¶

# Check device connection
frida-ls-devices
Id              Type    Name             OS
--------------  ------  ---------------  ------------
local           local   Local System     macOS 15.3.1
09011FDD4007DJ  usb     Pixel 5          Android 14
barebone        remote  GDB Remote Stub
socket          remote  Local Socket

# Restart frida-server
adb shell su -c "killall frida-server"
adb shell su -c "/data/local/tmp/frida-server &"

Best Practices¶

1. Start Simple¶

Begin with basic key extraction:

fritap -k keys.log target

2. Use Verbose Mode for Debugging¶

fritap -v -k keys.log target

3. Combine Multiple Outputs¶

fritap -k keys.log --pcap traffic.pcap --json metadata.json target

4. Save Debug Information¶

fritap -do -v --json debug_metadata.json target 2>&1 | tee debug.log

5. Test with Known Applications¶

Start with browsers or curl:

# Test with curl
sudo fritap --pcap curl_traffic.pcap curl https://httpbin.org/get

# Test with Firefox
sudo fritap -k firefox_keys.log firefox

Next Steps¶

Once you're comfortable with basic usage:

Explore Advanced Features for pattern-based hooking
Read Platform Guides for detailed platform-specific instructions
Check Usage Examples for real-world scenarios
Learn about SSL/TLS Libraries for library-specific tips

Quick Reference¶

Essential Commands¶

# Key extraction
fritap -k keys.log target

# PCAP capture
fritap --pcap traffic.pcap target

# JSON metadata
fritap --json metadata.json target

# Mobile analysis
fritap -m -k keys.log --json mobile_data.json com.example.app

# Live analysis
fritap -l target

# Comprehensive analysis
fritap -k keys.log --pcap traffic.pcap --json metadata.json target

Common Options¶

Option	Description
`-k, --keylog`	Save TLS keys to file
`-p, --pcap`	Save decrypted traffic to PCAP
`-j, --json`	Save session metadata as JSON
`-m, --mobile`	Mobile application analysis
`-s, --spawn`	Spawn and analyze application
`-v, --verbose`	Verbose output
`-do, --debug-output`	Debug output
`-l, --live`	Live analysis with Wireshark