SWToolkit/SWRedirector
4
1
Fork 0
Code Issues Pull requests Releases Activity
A transparent network interception tool for the SWProxy project.
3 commits 1 branch 0 tags 84 KiB
  • C++ 91.3%
  • CMake 8.7%
Find a file
Exact
Steve3184 0f03b3272c add show secrets feature
2026-04-21 23:44:30 +08:00
certs first commit 2026-03-26 01:14:06 +08:00
src add show secrets feature 2026-04-21 23:44:30 +08:00
.gitignore first commit 2026-03-26 01:14:06 +08:00
CMakeLists.txt add pass through mode & pcapng capture feature 2026-04-11 17:01:57 +08:00
LICENSE first commit 2026-03-26 01:14:06 +08:00
README.md add show secrets feature 2026-04-21 23:44:30 +08:00
toolchain-mingw64.cmake first commit 2026-03-26 01:14:06 +08:00

README.md

SWRedirector

SWRedirector is a transparent network interception tool for the SWProxy project. It intercepts outbound TCP traffic destined for the IoT broker, redirects it through a local TLS proxy, and forwards it to the specified target. It also includes a built-in HTTPS proxy that can intercept and optionally override device registration responses.

Features

  • Transparent TCP Redirect: Intercepts IoT broker traffic at the network layer without modifying the application.
  • Built-in TLS Proxy: Terminates TLS connections from the target device using an embedded certificate chain, then forwards traffic in plain TCP to the real broker.
  • MQTT Pass-through Mode: When the target argument is pass, the tool connects to the official MQTT broker over TLS by itself and transparently relays all downstream packets.
  • HTTPS Interception: Proxies HTTPS registration requests, with optional response override.
  • Register Override: Returns a fixed device info pair in response to registration requests.
  • Process Exclusion: Configurable ignore rules to bypass interception for specific processes by path, name, or PID.
  • DNS over HTTPS (DoH): Optional DoH support via AliDNS for secure DNS resolution.

Build

Requires CMake 3.16+. Dependencies are fetched automatically at configure time.

MSVC (VS2022)

Open the x64 Native Tools Command Prompt for VS 2022:

mkdir build && cd build
cmake .. -G "Visual Studio 17 2022" -A x64
cmake --build . --config Release

MinGW on Windows

mkdir build && cd build
cmake .. -G Ninja -DCMAKE_BUILD_TYPE=Release
cmake --build .

Cross-compile from Linux (mingw-w64)

sudo apt install mingw-w64

mkdir build && cd build
cmake .. -DCMAKE_TOOLCHAIN_FILE=../toolchain-mingw64.cmake -DCMAKE_BUILD_TYPE=Release
make

Enable DoH

Append -DUSE_DOH=ON to the CMake configure step.

Build Output

build/output/
├── swredirector.exe
├── WinDivert.dll
└── WinDivert64.sys

Usage

Requires Administrator privileges WinDivert loads a kernel-level network driver.

swredirector.exe <host:port> [options]
swredirector.exe pass [options]

Arguments

Argument Description
host:port Required. Target MQTT broker to forward decrypted traffic to (e.g. 192.168.1.1:8883).
pass Special mode. Keep the original MQTT destination and transparently relay traffic to the official broker with the tool handling upstream TLS.

Options

Option Description
--ignore <rule> Exclude matching processes from interception.
--override <deviceId> <deviceSecret> Return a fixed device identity in response to registration requests.
--capture <file> Capture MQTT payload direction as virtual IPv4/TCP packets in pcapng format, compressed with zstd.
--show-secrets Log deviceId and deviceSecret returned by the upstream registration endpoint (non-override mode only).

--ignore Rule Format

Rules are key=value pairs. Multiple attributes within one rule use ; (AND). Multiple rules use , (OR).

Key Meaning
fp Full executable path (case-insensitive)
pn Process image name (e.g. app.exe)
pid Numeric process ID

Example:

swredirector.exe 192.168.1.1:8883 --ignore "fp=C:\tools\monitor.exe,pn=updater.exe"

MQTT pass Mode

When the first argument is pass, SWRedirector still terminates the device-side TLS session locally, but it no longer forwards decrypted MQTT payloads to a custom plain TCP endpoint. Instead, it establishes its own TLS connection to broker and relays traffic bidirectionally.

Example:

swredirector.exe pass

MQTT Capture

Use --capture to save MQTT traffic into a .pcapng.zst file. The capture stream is synthetic and uses virtual endpoints so it can be opened in Wireshark:

  • client IP: 127.0.0.1
  • client port: 1234
  • broker IP: 127.0.0.2
  • broker port: fixed to 1883 for easier Wireshark MQTT decoding

The file is written as pcapng and compressed with zstd at a moderately high compression level. The program flushes the zstd stream and forces the file to disk every 15 seconds, so the file size should update while the program is still running and the risk of losing buffered capture data on an unexpected exit is reduced. To improve Wireshark MQTT decoding, capture packets are aligned to complete MQTT frames whenever possible instead of mirroring arbitrary recv/send chunk boundaries.

Example:

swredirector.exe pass --capture mqtt_trace.pcapng.zstd

--override

When set, any HTTPS request to the registration endpoint returns a response with the given device info.

Example:

swredirector.exe 192.168.1.1:8883 --override 123123123000 keyaaabbbccc

--show-secrets

When set, SWRedirector prints the deviceId, deviceSecret, and productKey returned by the upstream registration endpoint to the console log. This is useful for debugging device provisioning flows.

The flag is only effective in non-override mode (i.e. when the proxy actually forwards requests to the upstream server). If --override is also specified, --show-secrets is ignored and a warning is printed.

Example:

swredirector.exe pass --show-secrets
swredirector.exe 192.168.1.1:8883 --show-secrets --capture mqtt.pcapng.zstd

License

MIT