n this guide, we’ll show you how to capture network packets on iOS step-by-step to help you diagnose and resolve connectivity problems.
There are many tools that allow us to capture packets on different operating systems, including Mac. However, in mobile systems and especially in iOS, this task becomes a bit more complicated. Let’s see how we can do it.
In order to capture packets directly from iOS, we need to put the network card in monitor mode. However, as a preventive measure, Apple does not allow this function. There are external tools that allow you to change the state of the network card, but they require the device to be jailbroken, which is ruled out. Even so, there is an easy way to do it using our Mac as an intermediary for the packets that our iOS sends or receives.
Obtain UDID
The first thing we have to do is connect our device to the Mac via USB. We open iTunes, navigate to our iOS information and in the general section, the identifying elements of the device are located, something like this should appear:
If the UDID is not initially displayed, we click on the numbers of the last label, and it will show different values until the UDID appears.
Create a virtual remote interface
To capture packets, the Mac must create a remote virtual network interface that represents the iOS device’s network interface and through which all packets pass. We open the terminal and type the following command (we need to have Xcode’s Command Line Tools installed):
rvictl -s <UDID>
This command creates the interface of the device whose UDID we have indicated. It is worth noting that we can run this command with several devices at the same time, as long as all of them are connected by cable. We can list the network interfaces using the command:
ifconfig -l
If the interface appears, it is already configured to perform the capture.
Perform the capture
There are several tools for capturing packets, some with an interface like Wireshark and others without it like tcpdump. I personally will use tcpdump, which comes pre-installed in the system and is very easy to use. In the terminal, we put the following command:
sudo tcpdump -i rvi0 -w ./output.pcap
The parameters are as follows:
- -i: We tell it which interface we want to listen to, in our case it is rvi0 which is the one we created earlier with the UDID of the device.
- -w: Path and name of the directory where we want to deposit the capture. For this example, we will use the root of the system ./output.pcap.
After hitting enter, tcpdump will start capturing packets from the device and displaying the capture file size. Everything we do on the iPhone or iPad will be recorded in the capture file. When we have finished the connections on the device, we just have to stop the capture by pressing Ctrl+C.
When you are done, don’t forget to execute the following command to remove the remote interface:
rvictl -x <UDID>
As you can see, this is an easy and fast way to capture network packets on iOS. If you have any questions, feel free to use the contact methods to ask.
Source: Wireshark