More and more mobile devices such as iPhones and iPads appear in our workplace. They definitely changed the way people work, and increase productivity. However, these devices require new methods of troubleshooting when an issue occurred. Wireshark does not run on iPhones, but luckily anyone can easily obtain realtime packet captures with an OSX device.
To obtain a packet capture on an iOS device, you will need a MacBook that has Xcode installed. If Xcode does not exist on a macOS device, install it from the App Store and type the following in terminal.
sudo xcodebuild -license accept
Xcode comes with a tool named Remote Virtual Interface Tool (rvictl), and this allows you to create virtual interface on your OSX device. You just need to follow the steps below.
- Connect your iPhone to MacBook
- Find UDID of iPhone
- Run “rvictl -s ” in Terminal
- Open Wireshark and choose “rvi0” for the capturing interface
- Start capturing
Here are the steps in detail.
1. Connect your iPhone to MacBook
This does not require any instructions does it?
2. Find UDID of iPhone
The UDID of the iPhone appears on iTunes by clicking the serial number. Copy the UDID value by right clicking as rvictl requires this.
3. Run “rvictl -s ” in Terminal
4. Open Wireshark and choose “rvi0” for the capturing interface
5. Start capturing
This real time packet capturing for iPhone helped me track down one of the issues I had when testing Cisco Security Connector. Cisco Security Connector has a feature that connects to OpenDNS by communicating with QUIC packets and destination port 443, and the app showed “blah blah”. The realtime packet captures did not show any return packets from OpenDNS, and I found out that an internal network device dropped these.
APICLI 
very useful, great job
LikeLike