Logging network traffic of a specific app in Linux inside docker, stopping it from reaching the internet and spoofing responses

Question

I have an app (Google's Android Emulator running via QEMU) running on Ubuntu inside a docker instance. I want to:

• Capture all network traffic (packets) comming from a VM running inside QEMU.
• Prevent traffic from that VM from reaching the internet while leaving the rest of the instance connected
• Spoof responses to requests made from that VM to other servers, pretending that I am those servers
• Do all of this in an automated headless way (no user input, just scripts)

When researching this, I discovered https://github.com/mandiant/flare-fakenet-ng, which is exactly what I need. The issue is that it doesn't seem to work in my setup (whenever Fakenet's network driver loads, it disables all network traffic regardless of any configs and I lose control of the docker instance). I asked a question about it here (Enabling a diverter in fakenet-ng on Ubuntu Linux disables all network traffic), but received no answers.

Since I haven't managed to fix this problem so far, I'm looking for a different way to achieve this. What tools and methods should I use? What are their upsides and downsides?

Answer 1

Android Emulator itself contains an implementation of tcpdump and an option to dump packets to a file. Use it like this emulator -tcpdump {path_to_dump}.pcap {other_options}.

As for stopping it from reaching the internet and spoofing responses, its possible to launch the emulator in a separate user group and do iptables filtering based on GIDs of processes, redirecting all traffic coming from the specific GID to a local server, where spoofed responses would be implemented. Something like https://pypi.org/project/spoof/ or https://pypi.org/project/fake-server/ might work for this usecase.