Hubbard on Networking: Wireless Packet Capture on an IOS Device

Thursday, April 9, 2015

Wireless Packet Capture on an IOS Device

Normally when you have a network problem with a wireless device you would fire up Wireshark and take a packet capture. On a Mac you can even capture in "Monitor" mode and look at the 802.11 management frames.

But on an IOS device there isn't an App for that! Luckily Apple does provide a way to capture wireless network traffic from an IOS device. This Apple KB will explain how to do wireless packet capture on an IOS device: Getting a Packet Trace

The document is aimed at developers and has a lot of information that a network engineer isn’t interested in. Here is an easy to follow summary of the steps needed to do the capture.

Determine the UDID of the IOS device

To find the the UDID - Connect the IOS device to a Macbook, Click the Apple Icon on the top left, select “About this Mac, click System report. When it opens click on USB on the left. The UDID will be listed as Serial Number. In this case 6bbed03e410f0523d88a50664060b34ad07fe3b9

Start the Remote Interface on the IOS Device

Now that we an IOS device and UDID we can start the remote interface on the Device. With the IOS device still connected to the Mac, open a terminal window and enter:

$ rvictl -s 6bbed03e410f0523d88a50664060b34ad07fe3b9

Starting device 6bbed03e410f0523d88a50664060b34ad07fe3b9 [SUCCEEDED]

Use ifconfig to view the Interface:

$ ifconfig -l
lo0 gif0 stf0 en0 en1 p2p0 fw0 ppp0 utun0 rvi0

If you are using Wireshark select rvi0 as the capture interface.

Using TCPDUMP to capture the traffic

You can use Wireshark to capture and display the traffic. If you just need to capture traffic for later analysis you can use tcpdump which is built into the Mac:

sudo tcpdump -i rvi0 -w iPhone.pcap

To stop the capture CTRL+C.

IOS7 and greater breaks wireshark but here is a work around

The Wireshark forum has a thread - Mavericks cannot capture from iPhone using rvi

From the thread:
As others mentioned, the workaround is to enable the DLT_USER protocol
#149 in Wireshark.
From my experience the actual header and protocol is different depending
wether your device is connected using wifi or radio:

* when connected with radio (3G): set header length to 112, and protocol
to ip
* when connected with wifi: set header length to 108, and protocol to eth

This is just to confirm that the above approach (set header length to 108,
and protocol to eth) works for me. I can capture live and see all the info
about my SIP packets during capture.

Resources

Enterprise Best Practices for Apple Mobile Devices on Cisco Wireless LANs

@rikosintie

Michael earned his first IT certification, a Novell Certified Netware Engineer (CNE) in 1993. Michael then focused on the Microsoft MCSE credential, studied database design, and wrote several Visual Basic programs to automate production at a manufacturing company. In 2000 he earned the Cisco CCNA. Since then, Michael has earned Cisco’s security certification, Aruba’s switching certification, and the LPI’s Linux Essentials certification.

Hubbard on Networking