I'm trying to investigate a bizarre problem: none of the browsers
(Firefox, Google Chrome, Dolphin) on my Android 8 (Samsung Galaxy S7)
phone can access a specific web site (my own site of weather station
data, hosted by GoDaddy). This worked perfectly until a few days ago.
The symptom is that the browser usually times out. Very occasionally it
works fine, but only for a couple of pages on the site before failing
again. I can still access the site from browsers on Windows, Linux and iPad.

What is weird is that it fails over my wifi/VDSL connection, but works
over my Vodafone mobile internet connection.

I'd like to see what traffic (eg HTTP GET) the browser is sending, and
what response from the server is received, and compare these with
corresponding traffic for accessing the site from Windows or Linux -
which still work perfectly.

I gather that a lot of Wireshark-equivalents need the phone to be
rooted. I've found a few which don't: Packet Capture (Grey Shirts) and
PCAPDroid (Emanuele Faranda). However neither seem to work.

Both apps show traffic to/from the IP, as determined by NSLOOKUP on
Windows), so the DNS name-to-IP mapping is working.

Packet Capture shows traffic between Dolphin (for example) and the IP
address of my site. But it reports "no data". It does that for most
network traffic, including a successful browse to Facebook's web page as
a test.

PCAPDroid shows Dolphin sending a 60-byte packet out and getting no
response - but it won't show the data in the packet (even as hex), nor
can I see a way to export a capture to a PCAP file which I could analyse
in Wireshark on a PC.

So, is there any Android packet-capture software that actually works,
which will see the packets (maybe display them as hex to prove that it's
worked!) and will export to PCAP file for Wireshark to analyse.

I want a network trace that I can send to GoDaddy and maybe my ISP to
say "this is what I'm sending and (not) receiving - what's going on?".

NY wrote:

> I want a network trace that I can send to GoDaddy and maybe my ISP to
> say "this is what I'm sending and (not) receiving - what's going on?".

Could you try proxy settings in the browser, to a proxy under your
control, then wireshark it at the proxy? Of course that might "fix" the
problen, which wouldn't help ...

On 30/08/2021 19:55, NY wrote:
> So, is there any Android packet-capture software that actually works,
> which will see the packets (maybe display them as hex to prove that it's
> worked!) and will export to PCAP file for Wireshark to analyse.

I've also tried Debug Proxy (Mateus Pinhero) and that doesn't see ANY
traffic from ANY app.

Either I'm missing something very obvious with using these
Wireshark-like packet-capture apps, or they simply don't work on my phone.

I can't use Wireshark on a Windows PC (even if it is connected to the
same wifi as the phone) because my router or my wifi adaptor doesn't
seem to support "promiscuous mode" - ie showing that isn't to or from my
IP address. That's why I need packet-capture on the same device as the
one which is generating the HTTP traffic.

"NY" <me@privacy.net> wrote in message
news:h7udnaGI_fh2qbD8nZ2dnUU78bXNnZ2d@brightview.co.uk...
> On 30/08/2021 19:55, NY wrote:
>> So, is there any Android packet-capture software that actually works,
>> which will see the packets (maybe display them as hex to prove that it's
>> worked!) and will export to PCAP file for Wireshark to analyse.
>
> I've also tried Debug Proxy (Mateus Pinhero) and that doesn't see ANY
> traffic from ANY app.
>
> Either I'm missing something very obvious with using these Wireshark-like
> packet-capture apps, or they simply don't work on my phone.
>
>
>
> I can't use Wireshark on a Windows PC (even if it is connected to the same
> wifi as the phone) because my router or my wifi adaptor doesn't seem to
> support "promiscuous mode" - ie showing that isn't to or from my IP
> address. That's why I need packet-capture on the same device as the one
> which is generating the HTTP traffic.

Spot the missing word! I meant "showing *traffic* that isn't to or from my
IP address"

NY wrote:

> I can't use Wireshark on a Windows PC (even if it is connected to the
> same wifi as the phone) because my router or my wifi adaptor doesn't
> seem to support "promiscuous mode"

I meant run a proxy+wireshark on a wired PC ...

On 30/08/2021 21:02, Andy Burns wrote:
> NY wrote:
>
>> I can't use Wireshark on a Windows PC (even if it is connected to the
>> same wifi as the phone) because my router or my wifi adaptor doesn't
>> seem to support "promiscuous mode"
>
> I meant run a proxy+wireshark on a wired PC ...

Bugger!!!!

I set up CCproxy on my Windows PC and ran a Wireshark trace. I
configured Firefox Nightly (the development version which allows it to
use a proxy) to use my Windows PC as a SOCKS proxy. And I saw the HTTP
traffic beautifully, filtering on conversations between phone and
Windows PC.

Only problem - as you predicted earlier, this made it sodding-well work
:-( (You are allowed to laugh and say "told you so"!)

It's as if when the phone is using its own direct connection, something
happens to the HTTP traffic to/from the web server. But if it goes via
the Windows proxy, it works - probably because it is using the same
mechanism that a Windows browser on the PC uses, and that works fine.

So what is it about my site (http://goosebears.co.uk/weather) which is
breaking access from Android, when all other sites that I use work fine.
And why has it only started happening in the last few days?

On 8/30/2021 2:24 PM, NY wrote:

<snip>.

> So what is it about my site (http://goosebears.co.uk/weather) which is
> breaking access from Android, when all other sites that I use work fine.
> And why has it only started happening in the last few days?

I've seen non-secure web sites (http instead of https) sometimes cause
problems.

I don't think that there is a packet capture app that works on
non-rooted Android. I've tried them and they don't display any data.

NY <me@privacy.net> wrote:
> So what is it about my site (http://goosebears.co.uk/weather) which is
> breaking access from Android, when all other sites that I use work fine.
> And why has it only started happening in the last few days?

As I posted on your thread in uk.telecom.broadband, your webserver is
telling your phone browser to upgrade to HTTP/2 over TLS, but the TLS
certificate on the server is broken.

My guess when you're using a proxy is that it doesn't support HTTP/2 or
isn't passing the Upgrade: header, so the upgrade doesn't happen and it
accesses the cleartext HTTP/1.1 version which works.

Theo

sms <scharf.steven@geemail.com> wrote:
> I don't think that there is a packet capture app that works on
> non-rooted Android. I've tried them and they don't display any data.

This one claims to set up a VPN through which you can run your traffic,
and then capture it into a .pcap file you can load into desktop Wireshark:
https://play.google.com/store/apps/details?id=com.egorovandreyrm.pcapremote

Not tested it, but it's how I'd expect a non-root capture app to work. This
is how non-root firewalling works and the idea is the same.

Watch the video on the listing and it's doing exactly what the OP wants to
do.

Theo

NY <me@privacy.net> wrote:
> I'm trying to investigate a bizarre problem: none of the browsers
> (Firefox, Google Chrome, Dolphin) on my Android 8 (Samsung Galaxy S7)
> phone can access a specific web site (my own site of weather station
> data, hosted by GoDaddy). This worked perfectly until a few days ago.
> The symptom is that the browser usually times out. Very occasionally it
> works fine, but only for a couple of pages on the site before failing
> again. I can still access the site from browsers on Windows, Linux and iPad.
>
> What is weird is that it fails over my wifi/VDSL connection, but works
> over my Vodafone mobile internet connection.

This is normally caused by a too agressive firewall on your server,
e.g. as directed by the clueless "expert" Steve Gibson.

When your server firewall "blocks all ICMP" ("because ping is evil" or
"because you want to be stealth!") and your internet connection has
a maximum packet size (MTU) of less than 1500 bytes, you get this
exact problem.

An MTU of less than 1500 bytes is usually an issue when the internet
connection uses PPPoE as a link protocol (common with DSL lines).

The server will send packets of 1500 bytes, and the ISP will return
an ICMP packet saying "hey that is too big, maximum is 1492".
But your firewall drops the packet, your server software never gets
the message, and the connection stalls.

So, do not block ICMP. Also not when Steve recommends it.

To work around it, in some internet routers you can setup "TCP MSS
clamping", i.e. the router modifies the connection setup packet sent
from your phone to the server to indicate that you cannot receive
large packets. That fixes it for cases as you describe.

NY wrote:

> So what is it about my site (http://goosebears.co.uk/weather) which is
> breaking access from Android

Well, as I said the other day, it's not broken for me

Google Pixel3 with android 11
using current Firefox
over Wifi to my Vigor router
via VDSL to Plusnet

Anything else I can test?

Theo wrote:

> your webserver is telling your phone browser to upgrade to HTTP/2
> over TLS

It stays as http:// with my desktop and android firefoxes