Gilles' Blog
For marketers
who love technology
Home » , , , » Wireshark packer sniffer: How to capture iPhone iOS packets?

Wireshark packer sniffer: How to capture iPhone iOS packets?

How to Use Wireshark to Sniff Ios App Requests

If you want to use wireshark on an IOS app or TCPdump for iphone traffic, you are on the right post! I wanted to analyze the traffic that my phone generates. On a computer such packet capture is super easy to do:
  • If you are interested in HTTP traffic, you use Google Chrome developer tools or firebug. 
  • If you want all the network layers with full visibility, then you use tcpdump or Wireshark.
However, how to capture the traffic from my iPhone? Turns out it is pretty easy, as you should see below. And you do not even need to install a paid iPhone sniffer app, you can just use wireshark on your computer and sniff iPhone traffic. Have fun!

First, check your UDID/AdID/AIFA

  1. Connect your iPhone to the mac through a USB cable
  2. Install and open Xcode
  3. In the Xcode menu bar, go to Window > Devices. You should a screen like this:
  4. See the identifier line? That's the UDID of the phone, also called AdID. That's the ID advertisers use to track your activity on the web. Note this AdID, we will use it to capture the traffic of generated by the iPhone.
  5. In the Xcode window, you have access to the device logs, the list of apps and a bunch of information about anything you have done with your iPhone.

How to wireshark the iPhone's Apps and web network traffic

We will proceed in two steps:
  1. We create a virtual interface of your mac, dedicated to iPhone's traffic
  2. We run a capture on this specific interface
Let's start with the creation of the virtual interface.
  1. Open a Terminal window.
  2. Enter following command to create a network interface dedicated to the iPhone's traffic:
    3.  rvictl -s YourIDFA

  3. As you can see through ifconfig, the interface creation was successful.
  4. To remove this interface after you are done with your capturing, use following command:
    5.  rvictl -x YourIDFA

Now, let's capture the iPhone's communications:
  1.  Install and open Wireshark.
  2. You should see our virtual interface rvi0 listed among the capture interfaces:
  3. Double click on rvi0 to start a live capture. Open any App on your iPhone, to trigger information exchanges. Your screen will update with every IP packet sent / received by the iPhone.
  4. Stop the capture with the red square button at the top of Wireshark window.
Finally let's analyze the Wireshark trace we have gathered:
  1.  In Wireshark menu, go to Analyze > Follow > TCP stream.
  2. The Wireshark filter changes to "tcp.stream eq 0", it means that you are seeing only the packets related to the first TCP connection established. Edit the TCP connection number of trigger the "Follow > TCP stream" command on a specific packet, to analyze the exact TCP streams you are interested in.
  3. Now let's say I am interested in ad-calls, so I want only the traffic related to well known advertising platforms. I'll go to Statistics > Resolved Addresses to see which domains are involved in the captured network exchanges.
  4. You can play a do a lot of things, Wireshark is super powerful. A quick tip: in the capture options enable network address resolution: it makes it easier to analyze the capture.
Of course, most of the traffic is encrypted. So your capture will exhibit gibberish content. Don't be surprised. Especially with Apple moving towards full encryption of Apps communication with Application Transport Security (ATS) end of 2016.

To conclude the tutorial, let's consider a case where you just want to see TCP packets that bear your adId anywhere in their content. For this, tcpdump could be more convenient than Wireshark.

 tcpdump -i rvi0 -A -vvv  -s0 -w capture.txt

In above command we use:
  • -i option to indicate the interface we want to capture 
  • -A option to show the packet contents in ascii
  • -vvv to see as much information as possible
  • -s0 to capture full packets, not just the first few bytes
  •  -w to write the capture to a file
Cut the capture when you are done with cmd+c or ctrl+c. Then we can use the usual suspects: grep, cat, to analyze the captured file.



Have fun !
SHARE

About Gilles

18 comments :

  1. Radhika PothukuchiFebruary 16, 2017 at 7:38 PM

    Very Helpful!!! Thank you!!

    ReplyDelete
  2. GillesFebruary 16, 2017 at 8:39 PM

    Happy to help :) thanks for your appreciation Radhika!

    ReplyDelete
  3. hellanadamAugust 7, 2017 at 11:40 AM

    I am expecting more interesting topics from you. And this was nice content and definitely it will be useful for many people.
    ios App Development Company
    Mobile App Development Company
    Best Mobile App Development Company

    ReplyDelete
  4. deepana deepuSeptember 1, 2017 at 12:58 PM

    This article was very helpful ios online training Hyderabad

    ReplyDelete
  5. AndyFebruary 26, 2018 at 3:39 PM

    I have an app that controls my TV over WiFi. I would like to be able to control the TV from my home automation system, could I get a list of commands that the app sends by using this method?

    ReplyDelete
  6. helen shapiroApril 10, 2018 at 12:21 PM

    it is a beautiful post, and I want to say thank you so much for sharing this information.
    digital marketing services in india

    ReplyDelete
  7. SEO LHRApril 18, 2018 at 8:51 AM

    IOS development is growing
    mobile games development toronto
    c/c++ development company
    java development company
    - Amna

    ReplyDelete
  8. AnonymousJuly 19, 2018 at 3:38 PM

    Thank you!

    ReplyDelete
  9. Farooq AppenterprisesAugust 16, 2018 at 6:57 AM


    Healthisgod is the only complete health and wellness website that you may describe as it yours. We created a site that introduces the collection of health and lifestyle information supported by reliable content providers and genuine user reviews. This is a sincere effort on our part to bring forth a user experience which is engaging, moving, and interactive. Visit for more- Health is God

    ReplyDelete
  10. Mediahub newsAugust 16, 2018 at 1:38 PM

    Fantastic article to go through, I would appreciate the writer's mind and the skills he has presented this great article to get its look in better style. It really brushed up my mind and I am now feeling very much relaxed after getting complete summary regarding every singl aspect of the article, once again I would like to thank you for such great creativity. Fmovies

    ReplyDelete
  11. sweetiAugust 19, 2018 at 12:40 PM

    I think this is a real great article post.Really looking forward to read more. Visit at
    Crazy Video Hub

    ReplyDelete
  12. alisha dsouzaSeptember 2, 2018 at 8:29 AM

    Hi, I am alisha dsouza thank you for this informative post.Fantastic article to go through,I would appreciate the writer's
    123movies

    ReplyDelete
  13. Nutra T lineSeptember 8, 2018 at 5:29 PM

    It is a great job, I like your posts and wish you all the best. and I hope you continue this job well.
    NutraT line

    ReplyDelete
  14. thomus jonsNovember 20, 2018 at 10:57 AM

    Hello, I am thomus jons thank you for this informative post. That is a great job. Wish you more success.Thank you so much and for you all the best. Takes Down
    123movies

    ReplyDelete
  15. TMB LearningDecember 24, 2018 at 6:52 AM

    Thank you so much for sharing. Keep updating your blog. It will very useful to the many users. F5 ASM Training | F5 LTM Training

    ReplyDelete
  16. AnonymousMay 17, 2019 at 2:00 PM

    thanks man, super info here!!!

    btw. xcode seems to give idiotic problems with license approval on first start, here the fix:
    $sudo xcodebuild -license accept

    ReplyDelete
  17. Willa AndersonJuly 13, 2019 at 10:18 AM

    Thanks for sharing this amazing article.iOs is now trending. And due to this the iPhone user have increased day by day. Thus iPhone app development is important to get innovative app.

    ReplyDelete