How do you monitor network traffic on the iPhone?

Question

We are looking for a Wireshark-like tool to use on the iPhone to test a 3rd party application before partnering with the 3rd party. Any suggestions?

score 52 · Answer 1 · answered Dec 28 '12 at 07:30

52

A man-in-the-middle proxy, like suggested by other answers, is a good solution if you only want to see HTTP/HTTPS traffic.

The best solution for packet sniffing (though it only works for actual iOS devices, not the simulator) I've found is to use rvictl. This blog post has a nice writeup. Basically you do:

rvictl -s <iphone-uid-from-xcode-organizer>

Then you sniff the interface it creates with with Wireshark (or your favorite tool), and when you're done shut down the interface with:

rvictl -x <iphone-uid-from-xcode-organizer>

This is nice because if you want to packet sniff the simulator, you're having to wade through traffic to your local Mac as well, but rvictl creates a virtual interface that just shows you the traffic from the iOS device you've plugged into your USB port.

Note: this only works on a Mac.

answered Dec 28 '12 at 07:30

mpontillo

13,559
7
62
90

1

This is the best solution – jakev Oct 23 '13 at 20:41
2

Agreed this is a great solution. I would further avoid xcode like this: `system_profiler SPUSBDataType | grep -A 10 iPhone | grep Serial` :P – Randall Hunt Mar 26 '14 at 20:03
Thanks for `system_profiler` solution, which is possible to automate on the command line while XCode solution is not! – Noah Sussman Aug 19 '15 at 16:49
does this work for https? – Sibish Apr 15 '17 at 16:25
@Sibish It works for all network packets. Yet if you want to break the TLS/SSL encryption, you need the private key for the server cert, capture the whole TLS/SSL session and force client (or server) to use a TLS/SSL key exchange w/o PFS, as then Wireshark can actually decrypt the TLS/SSL packets and show you the raw, decrypted content of data sent/received. – Mecki Dec 06 '17 at 22:27

score 36 · Answer 2 · edited Sep 09 '12 at 08:36

36

You didnt specify the platform you use, so I assume it's a Mac ;-)

What I do is use a proxy. I use SquidMan, a standalone implementation of Squid

I start SquidMan on the Mac, then on the iPhone I enter the Proxy params in the General/Wifi Settings.

Then I can watch the HTTP trafic in the Console App, looking at the squid-access.log

If I need more infos, I switch to tcpdump, but I suppose WireShark should work too.

edited Sep 09 '12 at 08:36

David Victor

830
9
29

answered Jan 12 '09 at 22:48

Stephan Burlot

5,077
3
25
26

6

For Windows users, Fiddler is an excellent tool for sniffing HTTP traffic. The one thing you need to know is in Fiddler to select Tools -> Fiddler Options -> Connections and check "Allow remote computers to connect". There you'll also find the port it listens on. On the iPhone, navigate to the WiFi network's properties, and enter your computer's IP Address and Fiddler's port in the HTTP Proxy section (with Manual setup). HTH. – Keith Robertson Jul 12 '12 at 17:48
1

Just to add, the logs will then be in ~/Library/logs/squid – Max Dec 07 '13 at 02:29
I am trying to do this but in wireshark, I can only see traffic going from the iphone to the proxy and then from the proxy to the internet. It seems as though squid man uses a tunnel between the iphone and the proxy. Is there any way to disable this? – joakimb Dec 28 '14 at 16:48
1

I'm a noob using Squid[man] and I had to search a little to realize I need to put my iPhone's ip into Squidman's client tab in Preferences, before my iPhone was able to access the web again. Just leaving this here to others who have the same problem. – rachel Jul 17 '16 at 16:18
How to connect to proxy via iphone? I've ran squid but could not connect via iphone, which ip address i need to use? – fdrv Feb 16 '21 at 03:14

score 24 · Answer 3 · edited Jun 10 '23 at 19:03

I use Charles Web Debugging Proxy it costs but they have a trial version.

It is very simple to set up if your iPhone/iPad share the same Wifi network as your Mac.

Install Charles on your Mac
Get the IP address for your Mac - use the Mac Settings > Network > Wi-Fi > Details
On your iPhone/iPad open the Wifi settings and under the "HTTP Proxy" change to manual and enter the IP from step (2) and then Port to 8888 (Charles default Port)
Open Charles and under the Proxy Settings dialogmake sure the “Enable Mac OS X Proxy” and “Use HTTP Proxy” are ticked
You should now see the traffic appearing within Charles
If you want to look at HTTPS traffic you need to do the additional 2 steps download the Charles Certificate Bundle and then email the .crt file to your iPhone/iPad and install.
In the Proxy Settings Dialog SSL tab, add the specific https top level domains you want to sniff with port 443.

If your Mac and iOS device are not on the same Wifi network you can set up your Mac as a Wifi router using the "Internet Sharing" option under Sharing in the System Preferences. You then connect your device to that "Wifi" network and follow the steps above.

Thanks for recommending this. Looks much nicer than the alternatives. Also, you can just navigate to a webpage to download the certs to the iOS device, no email required. (see Charles docs) — Sandy Chapman, Dec 04 '14 at 20:10
I'd like to add some quick tips for setting up Android manual proxy settings: 1. Go to Settings; 2. Press and hold on WiFi you're connected; 3. tap Modify Network; 4. scroll down to Show Advanced Options; 5. under Proxy Settings choose Manual; 6. set up IP and port as described in @jonewash answer; 7. Save. (aditional help: https://attentionshard.wordpress.com/2013/06/13/sniffing-ios-and-android-http-traffic/) — Andrej, Jul 28 '15 at 21:08
Just a heads up, charles actually doesn't work for facebook ot instagram. They have it patched. You might need a more granular level access... which I am still looking for. — Munib, Sep 27 '19 at 15:58

Chris Ballance · Answer 4 · 2010-11-09T19:22:29.790

18

Run it through a proxy and monitor the traffic using Wireshark.

edited Nov 09 '10 at 19:22

answered Jan 12 '09 at 21:31

Chris Ballance

33,810
26
104
151

score 16 · Answer 5 · edited Jun 20 '20 at 09:12

For Mac OS X

Install Charles Proxy
In Charles go to Proxy > Proxy Settings. It should display the HTTP proxy port (it's 8888 by default).

For Windows

Install Fiddler2
Tools -> Fiddler Options -> Connections and check "Allow remote computers to connect"

General Setup

Go to Settings > Wifi > The i symbol > At the bottom Proxy > Set to manual and then for the server put the computer you are working on IP address, for port put 8888 as that is the default for each of these applications

ARP Spoofing

General notes for the final section, if you want to sniff all the network traffic would be to use ARP spoofing to forward all the traffic from your iOS to a laptop/desktop. There are multiple tools to ARP spoof and research would need to be done on all the specifics. This allows you to see every ounce of traffic as your router will route all data meant for the iOS device to the laptop/desktop and then you will be forwarding this data to the iOS device (automatically).

Please note I only recommend this as a last resort.

This is exactly what I needed. It is simple and it works. Unfortunately I can only give +1. — das Keks, Jan 15 '14 at 16:27

score 10 · Answer 6 · answered Jun 28 '09 at 08:05

On a jailbroken iPhone/iPod capturing traffic is done nicely by both "tcpdump" and "pirni"- available in the cydia repository. Analysis of these data are done by tranfering the capture over to another machine and using something like wireshark. However, given the active development that seems to be going on with these tools it's possible that soon the iPhone will handle it all.

score 10 · Answer 7 · edited Sep 08 '14 at 22:24

10

The best solution I have found that Works:

Connect your device thru USB

And type these commands:

rvictl -s UDID - (id of device 20 chars, you can locate 4t in iTunes or organiser in Xcode)
sudo launchctl list com.apple.rpmuxd
sudo tcpdump -n -t -i rvi0 -q tcp
OR just sudo tcpdump -i rvi0 -n

If rvictl is not working install Xcode

For more info: Remote Virtual Interface

http://useyourloaf.com/blog/2012/02/07/remote-packet-capture-for-ios-devices.html

edited Sep 08 '14 at 22:24

answered Jan 11 '13 at 23:34

Oleh Kudinov

2,533
28
30

1

`rvictl` does not seem to be a part of the command line tools for 10.10 – Joseph Oct 24 '14 at 15:26
Please check this out: http://stackoverflow.com/questions/21559537/bash-rvictl-command-not-found-mac-book-pro-os-x-10-7-5-xcode-4-6 – Oleh Kudinov Dec 09 '15 at 09:14
remember that UDID value must be in lower case! – Yekver Sep 13 '17 at 15:40

score 9 · Answer 8 · answered Feb 08 '09 at 08:47

9

Without knowing exactly what your requirements are, here's what I did to see packts go by from the iPhone: Connect a mac on ethernet, share its network over airport and connect the iPhone to that wireless network. Run Wireshark or Packet Peeper on the mac.

answered Feb 08 '09 at 08:47

Rog

17,070
9
50
73

1

Follow up: Here is a simple guide to monitor the complete traffic by using Wireshark and the Mac OS Internet Sharing: http://corecocoa.wordpress.com/2011/11/22/network-sniffing-on-the-iphone/ – jaltek Jan 14 '13 at 16:21
You can also connect iphone via usb on your mac and share internet of mac to iPhone. – kurtanamo May 30 '16 at 08:53

palaniraja · Answer 9 · 2011-04-14T12:51:41.720

6

Here is another way http://www.tuaw.com/2011/02/21/how-to-inspect-ioss-http-traffic-without-spending-a-dime/

I didn't see Roger Nolan's reply, the above link is same workflow with a different tool.

edited Apr 14 '11 at 12:51

answered Apr 14 '11 at 12:43

palaniraja

10,432
5
43
76

score 3 · Answer 10 · answered Apr 11 '11 at 16:57

Depending on what you want to do runnning it via a Proxy is not ideal. A transparent proxy might work ok as long as the packets do not get tampered with.

I am about to reverse the GPS data that gets transferred from the iPhone to the iPad on iOS 4.3.x to get to the the vanilla data the best way to get a clean Network Dump is to use "tcpdump" and/or "pirni" as already suggested.

In this particular case where we want the Tethered data it needs to be as transparent as possible. Obviously you need your phone to be JailBroken for this to work.

score 2 · Answer 11 · answered May 15 '13 at 19:48

2

Try Debookee on Mac OS X which will intercept transparently the traffic of your iPhone without need of a proxy, thanks to MITM, as stated before. You'll then see in real time the different protocols used by your device.

Disclaimer: I'm part of the development team of Debookee, which is a paid application. The trial version will show you all functionnalities for a limited time.

answered May 15 '13 at 19:48

Tom

613
6
14

Debookee is awesome. It would be nice if there was a simple video tutorial on your site so that people can see how easy it is to use. – Sanjiv Jivan Sep 07 '13 at 00:41
I just discovered that Debookee is unable to display traffic to https URL's and this is mentioned in their FAQ. Unfortunately the Squidman proxy solution mentioned here also doesn't capture the https URL. If anyone has suggestions please let me know. – Sanjiv Jivan Sep 15 '13 at 13:20

score 2 · Answer 12 · answered Oct 18 '13 at 12:22

Com'on, no mention of Fiddler? Where's the love :)

Fiddler is a very popular HTTP debugger aimed at developers and not network admins (i.e. Wireshark).

Setting it up for iOS is fairly simple process. It can decrypt HTTPS traffic too!

Our mobile team is finally reliefed after QA department started using Fiddler to troubleshoot issues. Before fiddler, people fiddled around to know who to blame, mobile team or APIs team, but not anymore.

score 1 · Answer 13 · answered Jan 12 '09 at 21:36

A general solution would be to use a linux box (could be in a virtual machine) configured as a transparent proxy to intercept the traffic, and then analyse it using wireshark or tcpdump or whatever you like. Perhaps MacOS can do this also, I haven't tried.

Or if you can run the app in the simulator, you can probably monitor the traffic on your own machine.

How do you monitor network traffic on the iPhone?

13 Answers13

For Mac OS X

For Windows

General Setup

ARP Spoofing

Linked