Capture packets on iOS devices (Supplement)

Previously, I usually connected to my iMac through WiFi, and then used httpscoop or Charles for data capture and analysis. The former is very easy to use. The necessary tool for protocol adjustment is that the update process is too slow and the version 2.0 is too old. The latter has never been used. I heard it is Java. And the price is too expensive, the former is 15 US dollars, and the latter is 50 US dollars.

Wireshark has been installed, but the interface is not easy to use, so it will be deleted after it is installed. Although httpscoop is easy to use, it is only applicable to the HTTP protocol and is powerless for socket communication.

Today, I saw this article in resow, introducing the use of xcode's built-in tools to capture and view all types of data packets.

(The following content is resow)

For various purposes, you may need to capture data packets on iOS, such as checking whether the installed software has uploaded anything without permission, or studying how to implement certain functions.

There are many methods to capture packets on iOS. You can refer to Apple technical Q & A 1176. The content is comprehensive, and there are tools and specific practices for several supported methods.

However, QA does not include a complete process, and some steps are missing. In addition, packet capture is commonly used on the network through HTTP proxy. The disadvantage of this method is that edge/3G data packets cannot be captured, if you cannot set proxy for WiFi, there is no way to do this.

The method described below solves this problem.

Requirement: IOS system requires more than 5.0, Mac OS, and xcode Installation

Apple added remote virtual interface (RVI) above ios5.0. It is very easy to enable it. You only need to connect the iOS device to the MAC through USB, then open the terminal, and enter

rvictl -s [Your Device's UDID]   

Then it will be displayed on the terminal

Starting device ********** [SUCCEEDED]

Words

If this step produces any errors, it may be that xcode is not installed or the udid is incorrect.

Next, you can use

ifconfig -l

View the interfaces on the current MAC, for example (different MAC may be different ):

lo0 gif0 en0 en1 fw0 rvi0

Rvi0 is the remote virtual interface, which means that an iOS device interface is virtualized on your Mac, and then the packets on this interface are captured through tcpdump.

 sudo tcpdump -i rvi0 -n -s 0 -w dump.pcap tcp

Explain the meanings of the preceding important parameters:

• -I rvi0: select the interface to be crawled as rvi0 (Remote Virtual Interface)
• -S 0: capture all data packets
• -W dump. pcap: Set the name of the saved file.
• TCP captures only TCP Packets

After tcpdump runs, you can start to browse the app you want to capture on the iOS device, and the data packets generated during the process will be saved to dump. in the pcap file, you can directly terminate tcpdump when you want to end the capture.

The next step is to process the captured data. Currently, dump is saved through tcpdump. pcap stores raw data, but some common packet capture software (such as chales) cannot be parsed, so a conversion is required.

Open the terminal, we need to use the tcprewrite tool, if not installed, you can quickly Install through homebrew

brew install tcpreplay

The tcprewrite we need is a tool in the tcpreplay suite. After the installation is complete, enter

tcprewrite –dlt=enet –enet-dmac=00:11:22:33:44:55 –enet-smac=66:77:88:99:AA:BB –infile=dump.pcap –outfile=dumpFinal.pcap

If no error is reported, the conversion is successful. Then, use chales to open dumpfinal. pcap to view the data packet.

----------------
I recently saw an article on similar topics. The solution described above is roughly the same. Later I will introduce it and use Har to view the http package. It is also included here as a supplement.