When the packet capture tool first starts, the interface is empty, but as soon as you open an app or refresh a page, it quickly becomes like this:

• Hundreds of requests
• A continuously scrolling list
• Multiple domains appearing interleaved

Without filtering methods, it’s difficult to find the target interface from this.

---

First, Clean Up the Environment

When capturing packets for the first time, an easy step to overlook is clearing the history.

In Charles, SniffMaster, or Proxyman:

1. Click the clear button (Clear Session)
2. Confirm the list is empty
3. Pause app operations

Next, only trigger the target operation once, such as clicking the “Login” button.

---

Observe the Changes

At this point, the packet capture list will show a small batch of requests, for example:

• Login interface
• Accompanying configuration requests
• A few CDN resources

The number is significantly reduced, allowing analysis to begin.

---

Narrow the Scope First by Filtering by Domain

If there are still many requests, you can first filter by domain.

In Charles:

1. View the domain list on the left
2. Find domains related to the business
3. Click to expand

For example:

api.example.com

Only view requests under this domain, which can remove:

• Image resources
• Third-party analytics
• CDN requests

---

Use Filters to Locate the Interface

Proxy packet capture tools generally provide filtering functions.

For example, in Charles:

1. Enter a keyword in the Filter
2. Input part of the interface path

For example:

/login

The list will only show matching requests.

---

Observe the Changes

After filtering, you can directly see:

• Request method
• Request parameters
• Response data

If the interface path is uncertain, you can first observe the URL structure and then adjust the keyword.

---

Reduce Interference in Mobile Device Packet Capture

When capturing packets on iOS, traffic tends to be more because it includes:

• System service requests
• DNS queries
• Apple background services

If capturing directly, it’s hard to filter.

---

Use SniffMaster to Filter by App

In SniffMaster, you can directly filter by app.

Steps:

1. Connect iPhone (via USB)
2. Start SniffMaster
3. Enter the packet capture interface
4. Click Select App
5. Check the target application
6. Start capturing packets
   

---

Observe the Changes

The packet capture list will only show traffic from that app:

• No longer includes system requests
• No longer includes traffic from other apps

At this point, the data volume is significantly reduced.

---

Further Filter by Request Type

If the target interface belongs to a specific type, you can continue filtering.

For example:

• Only view POST requests
• Only view JSON data

Set filtering conditions in the packet capture tool:

• Method = POST
• Content-Type = application/json

This can quickly locate interface calls.

---

Combine Sorting to Find Key Requests

When there are still many requests, you can use sorting functions.

For example:

• Sort by time
• Sort by data size

In some interfaces:

• Login interfaces return larger data
• Configuration interfaces return JSON

By sorting, you can find these requests faster.

---

Handle Continuously Refreshing Traffic

Some apps continuously send requests, for example:

• Heartbeat packets
• Long connections
• Real-time data refreshes

In such cases, you can:

1. First stop packet capture
2. Clear the data
3. Start capturing packets again
4. Immediately trigger the target operation

Avoid historical traffic interfering with analysis.

---

When facing the situation of “too much traffic,” you can operate in this order:

1. Clear packet capture records
2. Only trigger the target operation once
3. Narrow the scope by filtering by domain
4. Use keyword filtering
5. If necessary, filter by app
6. Use time or sorting to assist in locating

Reference link: https://www.sniffmaster.net/blog/132