In packet capture tools, you can see requests, but when you click into them, you find that the Body is empty, the Response shows encrypted data, or there is no response content at all.
This situation is more frustrating than not capturing packets because the requests do exist, but the content is invisible or encrypted.
First, Identify Which Type of No Content Issue It Is
Open Charles, SniffMaster, or Proxyman, click on a request, and focus on three key areas:
- Request Body
- Response Body
- Status Code
Three Common Behaviors
Behavior 1: Response Is Garbled or Unreadable
Indicates that HTTPS has been received but not decrypted.
Behavior 2: Body Is Completely Empty
Indicates that the request structure was captured, but the data was not restored.
Behavior 3: Request Is Normal but Returns 0 Bytes
Indicates that the request may have been interrupted or not completed.
Different behaviors correspond to different handling methods.
Verify If HTTPS Decryption Is Working Properly
First, use a browser as a control.
On the same device:
- Open Safari
- Visit an HTTPS website
- Check the packet capture tool
Compare the Results
If Safari Also Shows No Content
Indicates that the certificate is not effective.
Need to redo the process:
- Delete the old certificate
- Reinstall it
- Enable trust in the certificate trust settings
- Reopen the browser and test
If Safari Works Normally but the App Does Not
Indicates that the app has additional internal handling (e.g., certificate verification).
Continue to the next step.
Confirm If the Request Is Being Intercepted by the Proxy
Observe the connection method of the request in Charles.
If the request does not appear in the proxy tool but is captured later through other means, it indicates that the app may not be using the system proxy.
Verification Method
Turn off Wi-Fi and retrigger the request:
- If the app reports an error → the request does exist
- If the proxy tool has no record → it is not using the proxy
In this case, change the packet capture method.
Perform Direct Packet Capture on the Device to Verify Real Data
Use SniffMaster (Packet Capture Master) to perform direct packet capture on the phone.
Steps
- Connect the iPhone via USB
- Keep the device unlocked
- Click “Trust This Computer”
- Launch SniffMaster
- Select the device
- Install the profile
- Enter HTTPS Brute Force Capture Mode
- Click Start
Then trigger the app request.
Observe the Results
If you can see here:
- URL
- Header
It indicates that the request does exist.
Locate the Reason Why the Body Is Not Visible
If in SniffMaster, it still shows:
- Body is empty
- Response is incomplete
You can directly conclude that it is not related to the certificate, but rather an app restriction itself.
Handling Method: Re-signing
Process:
- Obtain the app’s IPA
- Sign it with an iOS development certificate
- Install it on the device
- Capture packets again
Observe Changes
After re-signing:
- Request Body appears
- Response content becomes visible
This is a change that can be directly verified.
Another Scenario: Data Is Encoded
Sometimes the captured data is not empty but is:
- Base64
- Compressed data
In SniffMaster, you can see the field:
- IsBase64Body = true
Handling Method
Need to:
- Decode Base64
- Or view the decoded content in the tool
For binary protocols, combine with protocol parsing.
A Technique to Avoid Misjudging Empty Data
In the packet capture interface:
- Check Content-Length
- Check response size
Judgment Method
- Content-Length > 0 → data exists
- Shows as empty → may be encoded or not parsed
You can further analyze by exporting the data.
Reference link: https://www.sniffmaster.net/blog/139