// AI-driven network traffic capture and analysis using mitmproxy/mitmdump + Playwright. Triggers on 抓包/流量捕获/网络抓包, HAR 文件分析, websocket/ws 流量, TLS/SSL 分析, request replay/流量对比, and API discovery or network debugging requests.
| name | capture-analytics |
| description | AI-driven network traffic capture and analysis using mitmproxy/mitmdump + Playwright. Triggers on 抓包/流量捕获/网络抓包, HAR 文件分析, websocket/ws 流量, TLS/SSL 分析, request replay/流量对比, and API discovery or network debugging requests. |
AI-driven autonomous network traffic capture and deep analysis.
AI 会自动从用户消息中提取 URL:
Analysis Goal Inference:
| Keywords | Goal |
|---|---|
| 性能/慢/延迟/加载 | performance |
| 安全/漏洞/头部/HTTPS | security |
| 调试/错误/失败/500 | debugging |
| API/接口/端点/请求 | api-discovery |
| (none of above) | general |
This skill gives Claude Code the ability to autonomously capture and analyze network traffic. Instead of just providing guidance, the AI itself:
mitmproxy installed (pip install mitmproxy or system package)python3 with mitmproxy Python bindingsVerify with:
which mitmdump && mitmdump --version
python3 -c "from mitmproxy import io; print('OK')"
When the user asks to capture live traffic, the AI MUST choose execution mode by task type (not one fixed method):
HTTP_PROXY, HTTPS_PROXY, ALL_PROXY).Required minimum actions:
capture-session.sh start ...)capture-session.sh stop)latest.flow size > 0, latest.index.ndjson lines > 0)Before starting capture, the AI MUST classify the task:
Rules:
If browser automation is selected, the AI MUST:
If selected mode is unavailable, the AI MUST:
curl -x http://127.0.0.1:<port> http://example.com/)Understand the user's goal before touching anything.
AI Actions:
Decision Matrix:
| User Says | Focus | Strategy |
|---|---|---|
| "分析这个网站的性能" | Performance | Full-site crawl, measure timings |
| "看看这个API有什么请求" | API Discovery | Navigate key flows, catalog endpoints |
| "检查安全问题" | Security | Probe forms, check headers, test inputs |
| "调试这个页面的错误" | Debugging | Target specific page, capture errors |
| "对比两次部署的差异" | Comparison | Capture twice, diff results |
AI executes:
capture-session.sh start https://example.com
Or with explicit scope control:
capture-session.sh start https://example.com --allow-hosts "example.com,*.example.com"
Key flags:
-d, --dir <path> — output directory for capture files-P, --port <port> — custom port (default 18080)--allow-hosts <list> — restrict capture to these hosts (comma-separated, supports *)--deny-hosts <list> — always ignore these hosts (takes precedence)--policy <file> — JSON policy file for complex scope rulesCleanup flags:
--keep-days <N> — keep capture files from recent N days--keep-size <SIZE> — keep latest captures up to total size--secure — securely delete old capture files--dry-run — preview cleanup result without deleting--force-recover — clean stale state file before start-h, --help — print CLI help and exitScope Control: By default, capture-session.sh auto-generates a scope from the target URL domain. This prevents capturing traffic from unrelated domains (e.g., analytics, auth providers).
After starting, the proxy is at 127.0.0.1:18080.
Choose the traffic-driving mode based on the target:
Browser mode (Playwright):
browser_navigate + browser_snapshot + interaction actions to produce traffic.Program mode (environment variables): Use temporary env vars when starting the target process:
HTTP_PROXY=http://127.0.0.1:18080 \
HTTPS_PROXY=http://127.0.0.1:18080 \
ALL_PROXY=http://127.0.0.1:18080 \
<your_program_command>
Or use helper script:
./scripts/runWithProxyEnv.sh -P 18080 -- <your_program_command>
Use NO_PROXY where necessary to bypass local endpoints.
Exploration/Driving Strategies (see BROWSER_EXPLORATION.md):
| Strategy | When | Actions |
|---|---|---|
full-crawl | General analysis | Visit homepage → follow links → interact |
targeted-flow | Specific user journey | Login → navigate → submit form → verify |
api-discovery | API mapping | Visit pages, trigger AJAX, catalog endpoints |
performance-probe | Performance | Rapid navigation, parallel requests |
manual-assist | Complex scenarios | Start capture, let user operate, then analyze |
Exploration Loop:
1. Navigate to target URL
2. Take snapshot → analyze page structure
3. Identify interactive elements (links, buttons, forms)
4. Click/navigate based on strategy
5. Wait for network activity to settle
6. Repeat 2-5 for depth/breadth coverage
7. Record navigation path for report
AI executes:
capture-session.sh stop
This triggers the full data pipeline:
capture.flow → HAR conversion
→ Index (NDJSON) + Summary (Markdown)
→ AI Brief (JSON + Markdown)
→ latest.* symlinks
Output Files:
| File | Format | Use |
|---|---|---|
*.flow | mitmproxy binary | Raw immutable capture |
*.har | HAR 1.2 JSON | Standard HTTP archive |
*.log | Text log | Capture runtime diagnostics |
*.index.ndjson | NDJSON | Per-request index records |
*.summary.md | Markdown | Quick statistics overview |
*.ai.json | JSON | Structured analysis input |
*.ai.md | Markdown | AI-friendly brief |
*.ai.bundle.txt | Text | Consolidated AI-ready bundle |
*.manifest.json | JSON | Session metadata |
*.scope_audit.json | JSON | Out-of-scope traffic report |
*.navigation.ndjson | NDJSON | Browser navigation timeline/events |
AI reads and analyzes the output files.
Analysis Order:
latest.summary.md — get the big picturelatest.ai.json — structured stats with findingslatest.har for specific requests (use Read tool with line offsets)Analysis Dimensions:
See ANALYSIS_PATTERNS.md for detailed strategies.
User: "帮我分析 https://example.com 的网络请求" → AI runs all 5 phases automatically and selects browser/program/manual mode by task
User: "开始抓包,我自己操作浏览器" → AI runs Phase 2, waits, then Phase 4-5 when user says "停止"
User: "分析 captures/ 目录下的抓包数据" → AI skips to Phase 5, reads existing files
User: "对比这两次抓包的差异" → AI reads two sets of data, generates comparison report
capture-session.sh diff captures/a.index.ndjson captures/b.index.ndjson
capture-session.sh doctor
Verify environment prerequisites before capture.
./install.sh --check
./install.sh --doctor
Use this to diagnose runtime dependencies and current skill installation mode.
./scripts/runWithProxyEnv.sh -P 18080 -- <your_program_command>
Use this when traffic is produced by CLI/service process rather than browser automation.
./scripts/driveBrowserTraffic.sh --url https://example.com -P 18080 --mode auto
Use this when you want one-shot headed/headless fallback browser traffic generation.
capture-session.sh start http://localhost:3000
Use this when analyzing local web apps without TLS.
capture-session.sh analyze
Generate AI-ready analysis bundle from latest artifacts.
capture-session.sh cleanup --keep-days 7
capture-session.sh cleanup --keep-size 1G --dry-run
capture-session.sh cleanup --secure --keep-days 3
Use cleanup to control retention after analysis runs.
capture-session.sh status
Check whether capture process is running before stop/analyze.
capture-session.sh --help
Show command list and option reference quickly.
capture-session.sh progress
Shows: duration, request count, data size
capture-session.sh navlog append --action navigate --url "https://example.com"
Use navlog during exploration to preserve key browser actions for later analysis.
See templates/analysis-report.md for the output format.
Reports include:
fafafa-skills-capture-analytics/
├── SKILL.md # This file
├── skill-rules.json # Trigger configuration
├── references/
│ ├── CAPTURE_OPERATIONS.md # Detailed capture operations
│ ├── ANALYSIS_PATTERNS.md # Analysis strategies & patterns
│ └── BROWSER_EXPLORATION.md # Playwright exploration guide
├── scripts/
│ ├── startCaptures.sh # Start mitmproxy capture
│ ├── stopCaptures.sh # Stop capture & process pipeline
│ ├── analyzeLatest.sh # Generate AI analysis bundle
│ ├── ai.sh # Quick analysis entry point
│ ├── capture-session.sh # One-shot capture session
│ ├── flow2har.py # Flow → HAR converter
│ ├── flow_report.py # Index & summary generator
│ ├── ai_brief.py # AI analysis brief builder
│ ├── cleanup.py # Cleanup policy helper
│ ├── common.sh # Shared shell helper functions
│ ├── doctor.sh # Environment diagnostics
│ ├── git-doctor.sh # Git environment diagnostics
│ ├── policy.py # Scope policy validator
│ ├── proxy_utils.sh # Proxy utility helpers
│ ├── release-check.sh # Release verification helper
│ ├── runWithProxyEnv.sh # Run command with proxy env (program mode)
│ ├── scope_audit.py # Scope audit report generator
│ ├── cleanupCaptures.sh # Capture retention cleanup
│ ├── navlog.sh # Navigation log helper
│ └── diff_captures.py # Capture index diff tool
└── templates/
├── analysis-report.md # Report output template
└── exploration-strategies.json # Pre-built exploration configs
| Problem | Solution |
|---|---|
mitmdump: command not found | pip install mitmproxy or install via system package manager |
| Port 18080 already in use | Use -P <other-port> flag or stop existing process |
| Playwright can't connect through proxy | Ensure mitmproxy CA cert is trusted, or use --ignore-https-errors |
| HAR conversion fails | Script falls back to Python converter automatically |
| Empty capture (0 requests) | Check proxy routing — use real browser/program traffic through proxy; smoke curl is connectivity-only |
| Found stale state file | Restart with capture-session.sh start https://example.com --force-recover |
| Permission denied on scripts | Run chmod +x scripts/*.sh |
[HINT] Download the complete skill directory including SKILL.md and all related files