In packet capture tools, you can see requests, but when you click into them, you find that the Body is empty, the Response shows encrypted data, or there is no response content at all.

This situation is more frustrating than not capturing packets because the requests do exist, but the content is invisible or encrypted.

First, Identify Which Type of No Content Issue It Is

Open Charles, SniffMaster, or Proxyman, click on a request, and focus on three key areas:

  • Request Body
  • Response Body
  • Status Code

Three Common Behaviors

Behavior 1: Response Is Garbled or Unreadable

Indicates that HTTPS has been received but not decrypted.

Behavior 2: Body Is Completely Empty

Indicates that the request structure was captured, but the data was not restored.

Behavior 3: Request Is Normal but Returns 0 Bytes

Indicates that the request may have been interrupted or not completed.

Different behaviors correspond to different handling methods.

Verify If HTTPS Decryption Is Working Properly

First, use a browser as a control.

On the same device:

  1. Open Safari
  2. Visit an HTTPS website
  3. Check the packet capture tool

Compare the Results

If Safari Also Shows No Content

Indicates that the certificate is not effective.

Need to redo the process:

  1. Delete the old certificate
  2. Reinstall it
  3. Enable trust in the certificate trust settings
  4. Reopen the browser and test

If Safari Works Normally but the App Does Not

Indicates that the app has additional internal handling (e.g., certificate verification).

Continue to the next step.

Confirm If the Request Is Being Intercepted by the Proxy

Observe the connection method of the request in Charles.

If the request does not appear in the proxy tool but is captured later through other means, it indicates that the app may not be using the system proxy.

Verification Method

Turn off Wi-Fi and retrigger the request:

  • If the app reports an error → the request does exist
  • If the proxy tool has no record → it is not using the proxy

In this case, change the packet capture method.

Perform Direct Packet Capture on the Device to Verify Real Data

Use SniffMaster (Packet Capture Master) to perform direct packet capture on the phone.

Steps

  1. Connect the iPhone via USB
  2. Keep the device unlocked
  3. Click “Trust This Computer”
  4. Launch SniffMaster
  5. Select the device
  6. Install the profile
  7. Enter HTTPS Brute Force Capture Mode
  8. Click Start

Then trigger the app request.
Packet Capture Explanation

Observe the Results

If you can see here:

  • URL
  • Header

It indicates that the request does exist.
Brute Force Capture

Locate the Reason Why the Body Is Not Visible

If in SniffMaster, it still shows:

  • Body is empty
  • Response is incomplete

You can directly conclude that it is not related to the certificate, but rather an app restriction itself.

Handling Method: Re-signing

Process:

  1. Obtain the app’s IPA
  2. Sign it with an iOS development certificate
  3. Install it on the device
  4. Capture packets again

Observe Changes

After re-signing:

  • Request Body appears
  • Response content becomes visible

This is a change that can be directly verified.

Another Scenario: Data Is Encoded

Sometimes the captured data is not empty but is:

  • Base64
  • Compressed data

In SniffMaster, you can see the field:

  • IsBase64Body = true

Handling Method

Need to:

  1. Decode Base64
  2. Or view the decoded content in the tool

For binary protocols, combine with protocol parsing.

A Technique to Avoid Misjudging Empty Data

In the packet capture interface:

  1. Check Content-Length
  2. Check response size

Judgment Method

  • Content-Length > 0 → data exists
  • Shows as empty → may be encoded or not parsed

You can further analyze by exporting the data.

Reference link: https://www.sniffmaster.net/blog/139