Looking for a Solution: How to Identify Unknown Connections Made from My Smartphone?

Search This thread
By:
Advanced…
John Dekka

John Dekka

New member
Feb 6, 2023
2
0
I live in a region where phone security and anonymity is a concern.
To address this, I have installed a rooted custom firmware, AFWall firewall, and ProtonVPN on my smartphone.

AFWall is set up to block most apps and system apps, routing only the ones I use through the VPN.
I monitor AFWall's logfiles, which show thousands of (blocked) unknown(-100) connections, most of which resolve to Github CDNs or Googleaccount, while others resolve to unknown IPs.

I want to find out which app or process is making these connections, but as AFWall reports them as unknown(-100), I am unsure how to proceed.

I have tried using Termux (root) and "sudo netstat -nputwc" to monitor connections, but some connections remain "empty" and do not provide any "PID/Program name".

How can I identify the app/process making these connections?


Thanks in advance!
 
Oswald Boelcke

Oswald Boelcke

Senior Moderator / Moderator Committee
Staff member
Apr 13, 2016
25,848
23
59,523
67
Preserving Air Supremacy over XDA
en.wikipedia.org
Samsung Galaxy S III I9300
Asus Transformer TF300T
John Dekka said:
I live in a region where phone security and anonymity is a concern.
To address this, I have installed a rooted custom firmware, AFWall firewall, and ProtonVPN on my smartphone.

AFWall is set up to block most apps and system apps, routing only the ones I use through the VPN.
I monitor AFWall's logfiles, which show thousands of (blocked) unknown(-100) connections, most of which resolve to Github CDNs or Googleaccount, while others resolve to unknown IPs.

I want to find out which app or process is making these connections, but as AFWall reports them as unknown(-100), I am unsure how to proceed.

I have tried using Termux (root) and "sudo netstat -nputwc" to monitor connections, but some connections remain "empty" and do not provide any "PID/Program name".

How can I identify the app/process making these connections?


Thanks in advance!
Click to expand...
Click to collapse
I don't know but probably these can already help?
f-droid.org

PCAPdroid | F-Droid - Free and Open Source Android App Repository

No-root network monitor and traffic dump tool for Android devices
f-droid.org f-droid.org

mitmproxy - an interactive HTTPS proxy

mitmproxy.org mitmproxy.org
 
  • Like
Reactions: John Dekka
John Dekka

John Dekka

New member
Feb 6, 2023
2
0
Awesome! I'll test a bit with this app to see what I can capture. :) Thanks!



Edit:
Well, now I can collect a lot more data. Nice. But still the same as with AFWall. I run PCAPdroid as root and can scan all connections. But "app" still "unknown". It can't figure out which process is making a connection.

For example the "unknown app (-1) transfers data from local ip 10.2.XXX.XXX:48100 to remote 146.75.XXX.XXX:443 which resolves to "fastly, Inc".

hmm...

I'll try to dump the whole payload to examine.
 
Last edited:
You must log in or register to reply here.

Similar threads

S
[GUIDE] How to WiFi tether with VPN (DroidVPN)
Replies
55
Views
101K
J
jagster936
B
Connect ANY 3G dongle to ANY android tablet...
Replies
119
Views
315K
S
syy4
C
One solution to Android Wifi "Error" or "Turning on..."
Replies
22
Views
216K
V
viraj1234
P
[GUIDE] USB Reverse Tethering - New method - All PC operating systems
Replies
391
Views
913K
L
liandex
F
How can I mount a NFS share?
Replies
69
Views
201K
R
ricardo85x

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 1
    Oswald Boelcke
    Oswald Boelcke
    John Dekka said:
    I live in a region where phone security and anonymity is a concern.
    To address this, I have installed a rooted custom firmware, AFWall firewall, and ProtonVPN on my smartphone.

    AFWall is set up to block most apps and system apps, routing only the ones I use through the VPN.
    I monitor AFWall's logfiles, which show thousands of (blocked) unknown(-100) connections, most of which resolve to Github CDNs or Googleaccount, while others resolve to unknown IPs.

    I want to find out which app or process is making these connections, but as AFWall reports them as unknown(-100), I am unsure how to proceed.

    I have tried using Termux (root) and "sudo netstat -nputwc" to monitor connections, but some connections remain "empty" and do not provide any "PID/Program name".

    How can I identify the app/process making these connections?


    Thanks in advance!
    Click to expand...
    Click to collapse
    I don't know but probably these can already help?

    PCAPdroid | F-Droid - Free and Open Source Android App Repository

    No-root network monitor and traffic dump tool...
    f-droid.org f-droid.org

    mitmproxy - an interactive HTTPS proxy

    mitmproxy.org mitmproxy.org
    View

New posts