iPhone and WireShark

iphone packet packet-capture sniffing packet-sniffers
131,230

Solution 1

Update (2021-04-01): Paros no longer can be easily installed and run on many OS's due to using an extremely old version of Java.

However there is now OWASP ZAP which is a fork of Paros and can be used to achieve the same ends.

Basic steps are:

  1. Install ZAP's root CA certificate on your iOS device.
  2. Configure the proxy settings of the iOS device to point to your running ZAP.
  3. Capture away.

Thre is a blogpost by Omer Levi Hevroni on OWASP ZAP with iOS which goes into significantly more detail on how to do these steps.

You can use Paros to sniff the network traffic from your iPhone. See this excellent step by step post for more information: http://blog.jerodsanto.net/2009/06/sniff-your-iphones-network-traffic/. Also, look in the comments for some advice for using other proxies to get the same job done.

One caveat is that Paras only sniffs HTTP GET/POST requests using the method above, so to sniff all network traffic, try the following:

  1. Just turn on network sharing over WiFi and run a packet sniffer like Cocoa Packet Analyzer (in OSX).
  2. Then connect to the new network from iPhone over WiFi. (SystemPreferences->Sharing->InternetSharing)

If you're after sniffing these packets on Windows, connect to the internet using Ethernet, share your internet connection, and use the Windows computer as your access point. Then, just run Wireshark as normal and intercept the packets flowing through, filtering by their startpoints. Alternatively, try using a network hub as Wireshark can trace all packets flowing through a network if they are using the same router endpoint address (as in a hub).

Solution 2

This worked for me:

  1. Connect your iOS device by USB

  2. $ rvictl -s UDID where UDID is the UDID of your device (located in XCode under Devices, shortcut to with 2)

  3. $ sudo launchctl list com.apple.rpmuxd

  4. $ sudo tcpdump -n -t -i rvi0 -q tcp or $ sudo tcpdump -i rvi0 -n

If victl is not working install Xcode and the developer tools.

For more info see Remote Virtual Interface and for the original tutorial here's the Use Your Loaf blog post

Solution 3

I have successfully captured HTTP traffic using Fiddler2 as a proxy, which can be installed on any Windows PC on your network.

  1. In Fiddler, Tools -> Fiddler Options -> Connections -> [x] Allow remote computers to connect.
  2. Make sure your windows firewall is disabled.
  3. On the iphone/ipod, go to your wireless settings, use a manual proxy server, enter the fiddler machine's ip address and the same port (defaults to 8888).

Solution 4

The following worked for iPhone 4S (iOS 5) and Macbook Pro (10.8.2)

  1. On your Mac, go to System Preferences > Sharing > Internet Sharing internetSharing

  2. On your iPhone, go to Settings > Wifi and choose your Mac as the Wifi Access Point. Press the blue detail disclosure next to it to and note down the IP Address (192.168.2.2 in my case). At this point, the wifi icon on Mac's your taskbar should change to the following: wifi

  3. Open wireshark. Click on start capture, and use the new bridge interface that should now be available among the options. wshark

  4. ???

  5. Profit!

As with all stuff networking related, you might have to restart wifi etc and repeat steps and invoke your favorite deity to get this incantation working :)

Solution 5

I had to do something very similar to find out why my iPhone was bleeding cellular network data, eating 80% of my 500Mb allowance in a couple of days.

Unfortunately I had to packet sniff whilst on 3G/4G and couldn't rely on being on wireless. So if you need an "industrial" solution then this is how you sniff all traffic (not just http) on any network.

Basic recipe:

  1. Install VPN server
  2. Run packet sniffer on VPN server
  3. Connect iPhone to VPN server and perform operations
  4. Download .pcap from VPN server and use your favourite .pcap analyser on it.

Detailed'ish instructions:

  1. Get yourself a linux server, I used Fedora 20 64bit from Digirtal Ocean on a $5/month box
  2. Configure OpenVPN on it. OpenVPN has comprehensive instructions
  3. Ensure you configure the Routing all traffic through the VPN section
  4. Be aware the instructions for (3) are all iptables which has been superseded, at time of writing, by firewall-cmd. This website explains the firewall-cmd to use
  5. Check that you can connect your iPhone to the VPN. I did this by downloading the free OpenVPN software. I then set up a OpenVPN certificate. You can embed your ca, crt & key files by opening up and embedding the --- BEGIN CERTIFACTE --- ---- END CERTIFICATE --- in < ca > < /ca > < crt >< /crt>< key > < /key > blocks. Note that I had to do this in Mac with text editor, when I used notepad.exe on Win it didn't work. I then emailed this to my iphone and picked installed it.
  6. Check the iPhone connects to VPN and routes it's traffic through (google what's my IP should return the VPN server IP when you run it on iPhone)
  7. Now that you can connect go to your linux server & install wireshark (yum install wireshark)
  8. This installs tshark, which is a command line packet sniffer. Run this in the background with screen tshark -i tun0 -x -w capture.pcap -F pcap (assuming vpn device is tun0)
  9. Now when you want to capture traffic simply start the VPN on your machine
  10. When complete switch off the VPN
  11. Download the .pcap file from your server, and run analysis as you normally would. It's been decrypted on the server when it arrives so the traffic is viewable in plain text (obviously https still encrypted)

Note that the above implementation is not security focussed it's simply about getting a detailed packet capture of all of your iPhone's traffic on 3G/4G/Wireless networks

Share:
131,230
Strawberry
Author by

Strawberry

I want to learn industry practices and apply them to my projects to make myself successful

Updated on July 12, 2022

Comments

  • Strawberry
    Strawberry almost 2 years

    How can I sniff packets from my iPhone on my network? can someone give me some instructions? I tried Googling, but nothing teaches how to sniff iPhone packets、

    I am on windows.

  • Strawberry
    Strawberry over 14 years
    Thanks, if I wanted to sniff all the packets what program can I use for windows?
  • Rob Napier
    Rob Napier over 14 years
    +1 This is the rig I use all the time. Works great. The hardest part is finding a hub these days... Personally I use a Netgear DS104.
  • hmqcnoesy
    hmqcnoesy over 12 years
    +1 Great suggestion. I found this for a step-by-step: here. Also, help with getting https on fiddler's site and here
  • William Jockusch
    William Jockusch over 11 years
    The blog post does not make one thing clear: how do you get the address to use for the proxy? What you should do is startup the "network utility" app on your mac. You will see an "IP Address" on the Info tab (the first tab). That is the address you should use.
  • Yozef
    Yozef over 10 years
    This is not for packets passing via the iPhone
  • Mike S
    Mike S over 10 years
    The instructions in the link are really bad. There are tons of people who can't get it working (see the comments). The author appears to arbitrarily pick an IP address to act as the proxy. But it should be the IP address of the computer/laptop.
  • PompeyPaul
    PompeyPaul almost 9 years
    In the end, just to finish up, I found out what was eating the data. I had it configured as a personal hotspot and if I rebooted the router then my PC would connect to it and route all data through it. So in the end I discovered I had to reset the router when the PC was doing some sort of network traffic and that killed my data!
  • Jeff
    Jeff over 5 years
    I would recommend reading man page for tcpdump to understand what the flags are. Also, there seems to be a difference in output between stdout and using -w flag. See also stackoverflow.com/a/19873132/307944
  • sam1370
    sam1370 over 3 years
    I can get Paros to work as far as SSL errors, but that's all I can get. Pretty useless for sniffing traffic from legitimate applications which don't accept invalid certs
  • Nubcake
    Nubcake about 3 years
    The OP is asking how to do this on Windows
  • Nubcake
    Nubcake about 3 years
    Paros doesn't even work on Windows anymore.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to capture network packet in Android without using any root permissions
How to decode and play back rtp captured packets using Wireshark?
Packet Sniff over Wi-Fi
Can 3G networks be packet sniffed / analyzed?
Why is the "don't fragment" flag set in https and ssh protocols?
tcpdump: capture one of several vlans
Capturing wireless traffic (using Wireshark)
TCP Sequence & Acknowledgment numbers
how can I dump only outgoing IP packets in tcpdump?
How to find the packet loss in Wireshark?