Traffic Analysis with mitmproxy: A Complete Guide for Debugging and Security

Introduction

mitmproxy is a powerful and flexible tool for inspecting, manipulating, and analyzing traffic. HTTP/HTTPS In development environments, it is used to security test and debug mobile and web applications. This guide provides step-by-step implementation, practical examples, common configurations (including transparent proxy), security tips, and scalability methods are reviewed.

This article is written for site administrators, developers, DevOps, and security teams and provides examples and executable Linux commands.

Why analyze traffic with mitmproxy?

mitmproxy Ability to view TLS encrypted requests and responses by installing a local certificate (MITM CA) on the client; this feature is great for debugging APIs, analyzing application behavior, security testing, and recording/playing traffic.

The set includes tools mitmproxy (interactive), mitmdump (for scripts and backend) and mitmweb (Web interface).

Python scripting can automate filtering, logging, and payload modification. This tool is Docker, systemd, iptables/nftables It is compatible and can be used as explicit Or transparent proxy It is.

Practical Use Cases

API and mobile debugging

To object to JSON issues, CORS errors, or OAuth authentication, you can place mitmproxy between the mobile and the server and observe the requests/responses.

Simple method: Set the client to the IP address of the mitmproxy server (default port 8080) and install the CA certificate on the device.

Penetration testing and security assessment (in compliance with legal principles)

For pentests, mitmproxy allows for logical attacks, token leak checks, and TLS analysis. Always have a written contract and permission. And avoid collecting sensitive data without permission.

Traffic recording and replay

To reproduce errors or load test, you can use the captured traffic with the server-replay Play to re-evaluate server or client behavior.

Installation and tools

Basic installation on Debian/Ubuntu

Install with pip (recommended for latest version):

pip3 install mitmproxy

Installing from a package (easy but older):

sudo apt update
sudo apt install mitmproxy

Fast execution

Three main tools:

• mitmproxy — Console interactive interface

• mitmdump — Suitable for recording scripts and backends

• mitmweb — Web interface with graphical UI

Execution example:

mitmweb --listen-port 8080 --showhost

Running in Docker

docker run --rm -p 8080:8080 -p 8081:8081 -v $(pwd)/certs:/home/mitmproxy/.mitmproxy mitmproxy/mitmproxy mitmweb --web-host 0.0.0.0

Setting up as explicit proxy (client configuration)

General steps:

1. Run mitmproxy:

   mitmproxy --listen-port 8080

2. Generating and installing a CA certificate:

   After running mitmproxy, the CA in ~/.mitmproxy/ is placed (file mitmproxy-ca-cert.pem).

   On the client browser or operating system, view the certificate as Trust Install (Windows: MMC > Certificates; macOS: Keychain; Android: Settings > Security > Install from storage).

Transparent proxy mode (no manual client configuration)

For environments where proxy settings cannot be configured on the client (such as IoT devices or internal networks), use the transparent This mode requires traffic routing with iptables/nftables/TPROXY And it has IP forwarding enabled in the kernel.

Enabling IP forwarding

sudo sysctl -w net.ipv4.ip_forward=1

iptables example to redirect HTTP/HTTPS to port 8080

Forward TCP ports 80 and 443 to port 8080 on the same machine (for local traffic):

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080

Running mitmproxy in transparent mode

mitmproxy --mode transparent --listen-port 8080

Note: For HTTPS traffic in transparent mode, a CA must be installed on the clients. For scalable implementation at the edge of the network, use TPROXY + nftables Use to preserve the client's original IP.

Record, store, and convert streams

Recording with mitmdump

mitmdump -w flows.mitm

Reading the recorded file

mitmproxy -r flows.mitm

Convert to HAR/pcap

mitmproxy/mitmdump have export capabilities (mitmweb has an export HAR option).

For pcap, you can run tcpdump at the same time and then analyze Wireshark with pcap:

sudo tcpdump -i eth0 -w capture.pcap port 80 or port 443

If you need to analyze TLS in Wireshark, if you have control of the browser you can SSLKEYLOGFILE Enable to generate client-side keys and pass them to Wireshark.

Scripting and Addons

mitmproxy integrates with Python and you can write plugins. The following example shows logging and modifying the JSON response body.

from mitmproxy import http
import json

def response(flow: http.HTTPFlow):
    if "api.example.com" in flow.request.pretty_host():
        # log URL
        print(flow.request.url)
        # modify JSON response
        if "application/json" in flow.response.headers.get("content-type", ""):
            data = json.loads(flow.response.get_text())
            data["injected"] = True
            flow.response.set_text(json.dumps(data))

Run the addon:

mitmdump -s modify_response.py

Filters and Flow Search

Useful examples for filters:

• Show only requests to a specific domain: ~d example.com

• Show only responses with 5xx errors: ~s 500-599

Example of running mitmproxy with settings:

mitmproxy --set stream_large_bodies=2m --showhost

TLS analysis and technical details

mitmproxy can TLS ClientHelloCipher Suites, and SNI and assist in the fingerprinting process.

For a complete analysis of TLS in development environments, install the CA and collect JA3 Or UADetector It works.

Scalability and performance

mitmproxy It is based on Python and should be run on suitable hardware or a cluster for heavy workloads.

For high scale: Use dedicated servers or cloud instances with strong networking, such as a cloud server with 10Gbps ports.

In production environments that require attack tolerance, use anti-virus servers.DDoS and Load Balancer. Our company is with 85+ global locations It has the ability to be deployed at edge points, which is useful for reducing latency in trading and gaming.

Operational security and privacy

Only perform analysis on networks with explicit permission. Recording traffic without legal consent is a crime.

Store the CA private key on hardware or in a key manager and restrict access.

Logs may contain sensitive data (tokens, cookies); specify a retention policy and apply encryption to them.

For sensitive environments (payment, cards), rules PCI/DSS and use MITM tools only in the testing phase.

If using for trading or gaming analysis, use a dedicated trading VPS or gaming VPS with appropriate SLA and anti-DDoS.

Practical examples: mobile, API, and replay

Mobile app debugging

1. Run mitmproxy on your laptop:

   mitmweb --listen-host 0.0.0.0 --listen-port 8080

2. Connect the laptop to the same Wi-Fi network; IP for example 192.168.1.10.

3. In your phone's Wi-Fi settings, set Proxy to Manual and set the IP 192.168.1.10 and port 8080 Put it.

4. Install the mitmproxy certificate on the phone.

5. View and filter traffic on mitmweb.

Record and play API traffic for testing

Recording:

mitmdump -w api_flows.mitm

Broadcast:

mitmdump --server-replay api_flows.mitm --server-replay-nopop

Integration with other tools (Wireshark, Burp, CI)

Use tcpdump to capture pcap and analyze in Wireshark.

Mitmproxy can be used as a traffic preprocessor for Burp or any other analyzer.

In CI/CD: It is useful to capture traffic samples with mitmdump and play them during integration stages to simulate real-world conditions.

Best configurations by application

For trading: Low latency VPS, server close to the exchange, network with BGP and proper CDN. Use a dedicated trading VPS to run mitmproxy in test mode and a separate logging tool so it doesn't interfere with the trading Execution Engine.

For the game: Gaming VPS with low ping. Note mitmproxy only TCP/HTTP supports; to analyze UDP you need to use other tools such as tcpreplay/Wireshark and tun/tap Use.

For AI/Rendering: mitmproxy is useful for debugging model APIs; for heavy network processing, use a graphics server (GPU Cloud) and place mitmproxy on a separate compute server.

Final notes and legal warnings

Always obtain written permission from the service owner or user before any analysis.

Data such as card information, passwords, and tokens should be kept secure and deleted after use.

For production, use protected servers and an anti-DDoS solution to prevent abuse.

Conclusion and practical suggestions

Traffic analysis with mitmproxy is a flexible tool for debugging, security testing, and traffic analysis. Its simple installation, Python scriptability, and record/playback capabilities make it very useful in development, QA, and some security scenarios.

For large-scale production and analysis, use servers with a strong network, anti-DDoS, and deployment in locations close to users.

Frequently Asked Questions