Capturing iPhone traffic

This walk through will enable you to capture all traffic that ingresses or egresses the device. It will not differentiate between WLAN or Cellular traffic. If you’re on WiFi, no IP traffic should traverse the Cellular network. If you turn Wifi off, you’ll see your data flow over Cellular.

You’ll need :

  • A Mac with a 30pin/Lightning cable
  • An iPhone

Versions tested :

  • Mac OS X 10.11.6
  • iOS 9.3.3

Procedure:-

Install Xcode on Mac OS X – beware, 4GB download.

Install Wireshark on Mac OS X – no need to beware. Not a 4GB download.

Xcode will make the rvictl tool available to you and despite other tutorials using tcpdump, you can actually capture straight into Wireshark from the remote virtual interface that we’ll create.

Attach an iPhone to the Mac with the cable and allow the Mac to be trusted by the iPhone so it appears in iTunes.

Viewing the iPhone summary page in iTunes, the section which includes the Capacity and Phone Number also has the Serial Number. If you click on the words Serial Number, the display rotates through UDID, ECID and Product Type. We want the UDID

Hold Ctrl and click the UDID string which is a stupid long alphanumeric. Choose copy.

Open a terminal window.

In the terminal window, enter rvictl –s with whitespace after the “-s” and hold Ctrl and click the terminal window to then choose “Paste”

The resulting command should look like:

Macbook$ rvictl –s 23cf3b0ce86e059dd87e53b507858abc99c

When finished with the procedure after using either tcpdump or Wireshark, use the -x form.

rvictl

You can then either use tcpdump if you want to simply save the data to a file for review later, or if you’d like the feeling of ‘watching the traffic’ too, fire up Wireshark and capture from the rvi0 interface. Treat Wireshark like you would in any other packet capture situation.

tcpdump syntax to capture to a file called iphone_capture.pcapng would look like this:

tcpdump -n -i rvi0 -w iphone_capture.pcapng

Use Ctrl+C to stop the capture in tcpdump.

When you’re done, simply stop the remote virtual interface as described earlier and disconnect your phone.

Happy capturing!

 

Advertisements