|

Getting TCP Captures From an iOS Device via WireShark

Byİ. Deniz YILMAZ

Hello dear readers,

The topic of this article will be network analysis. Recently, we received a complaint about slow performance related to a new feature that was implemented at work. The product has been released to production but has not yet been opened to customers. The complaint from the business unit is ‘slowness when opening screen z during process y on screen x,’ but there are many processes occurring behind that perceived slowness.

The system involves a multitude of components, including mobile devices, native applications, webviews, Kubernetes services, and services running on virtual servers. We immediately turn to our APM product and set up the relevant server configurations, but there are still areas that it cannot monitor. We examine real-time network analysis using a network monitoring tool, but neither tool reveals any significant issues on the server side.

In such a situation, I decided to shift my focus to the client side and conduct a client-focused investigation. Here, we were going to try a method we hadn’t attempted before. It’s not exactly a groundbreaking new invention we discovered, but since we needed it for the first time, we were using it for the first time.

Let’s start with the requirements:

  • Wireshark
  • A Mac with Xcode installed
  • A cable to connect the iPhone to the Mac

First, we connect the iPhone to the Mac and open Xcode. For this task, we need the identifier of our iPhone. After opening Xcode, we go to the Window > Devices and Simulators tab in the top menu. Here, we select our iPhone under Connected in the left menu and write down the Identifier number that appears on the opened screen.

After that, we open a terminal window and navigate to the directory /Library/Apple/usr/bin.

cd /Library/Apple/usr/bin

Then, we will ask the rvictl service located in this directory to start our iPhone as a virtual interface. We will use the identifier number we copied here.

./rvictl -s <identifier of iPhone>

You will see a success message and the interface name, similar to the following.

Now, let’s search for this interface in Wireshark.

As you can see, our interface has been added and is ready and waiting for packet capture. I strongly recommend starting with capture filters at this point. This is because the amount of traffic flowing from your phone due to social media, e-commerce applications, etc., is enormous. You’ll see what I mean if you start capturing without filters.

Once you’re finished, you might want to stop the interface. You can do this using the -x command instead of -s, even while the device is still connected.

./rvictl -x <identifier of iPhone>

After this, you will see that the interface has been successfully stopped and has also been removed from the main Wireshark screen.

Source: https://forums.ivanti.com/s/article/KB44358?language=en_US

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *