原文: http://useyourloaf.com/blog/2012/02/07/remote-packet-capture-for-ios-devices.html

Remote Packet Capture for iOS Devices

FEB 7TH, 2012 11:33 PM

I previously posted about using the Network Link Conditioner to create realistic and “challenging” network conditions when testing iOS apps. In this post I want to highlight another useful network debugging tool which allows you capture network traffic from an iOS device.

Remote Virtual Interfaces

As with the Network Link Conditioner you need to use a host Mac computer to perform remote packet capture of an iOS device. The only other requirement is that the device be connected to the host computer via USB. No jailbreaking or hacking of your device is required to get this to work.

The basic technique is to create an OS X remote virtual network interface that represents the remote network stack of the iOS device. Once you have the virtual interface you can use your favourite network debugging tool such as tcpdump or wireshark to view the network traffic.

The steps to get the virtual network interface up and running are as follows:

  • Plug your iOS device into the USB port of your Mac.
  • Use the Xcode organizer to obtain the UDID of the device (the value you want is named Identifier):

  • The remote virtual interface is created using the rvictl command, using the UDID you obtained in the previous step. The following command needs to be entered in the terminal window:

      $ rvictl -s <UDID>

If you want to capture packets from more devices you can repeat this process with the UDID for each device. You can also use the rvictl command to list the active devices:

    $ rvictl -l

The virtual interfaces are named rvi0, rvi1, rvi2, etc. and like all network interfaces are viewable using the ifconfig command:

    $ ifconfig rvi0

    rvi0: flags=3005<UP,DEBUG,LINK0,LINK1> mtu 0

Finally when you are finished you can remove the virtual interface:

    $ rvictl -x <UDID>

Using tcpdump

The easiest way to capture and dump the network traffic is to use the tcpdump command which is included with OS X. The man page for tcpdump has lots of options but if you just want to see the live traffic the following will get you started:

    $ tcpdump -n -i rvi0

To better illustrate the results I will use the Twitter Search app I showed in an earlier post to generate a simple http request and response.

    $ tcpdump -n -t -i rvi0 -q tcp

    tcpdump: WARNING: rvi0: That device doesn't support promiscuous mode

    (BIOCPROMISC: Operation not supported on socket)

    tcpdump: WARNING: rvi0: no IPv4 address assigned

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

    listening on rvi0, link-type RAW (Raw IP), capture size 65535 bytes

    IP 192.168.1.66.55101 > 192.168.1.64.51712: tcp 117

    IP 192.168.1.64.51712 > 192.168.1.66.55101: tcp 0

    IP 192.168.1.64.51712 > 192.168.1.66.55101: tcp 298

    IP 192.168.1.66.55101 > 192.168.1.64.51712: tcp 0

    IP 192.168.1.66.55324 > 199.59.148.201.80: tcp 0

    IP 199.59.148.201.80 > 192.168.1.66.55324: tcp 0

    IP 192.168.1.66.55324 > 199.59.148.201.80: tcp 0

    IP 192.168.1.66.55324 > 199.59.148.201.80: tcp 269

    IP 199.59.148.201.80 > 192.168.1.66.55324: tcp 0

    IP 199.59.148.201.80 > 192.168.1.66.55324: tcp 1428

    IP 199.59.148.201.80 > 192.168.1.66.55324: tcp 1428

    IP 199.59.148.201.80 > 192.168.1.66.55324: tcp 1428

Note the tcpdump options I am using to cut down some of the noise. The -t option gets rid of the timestamp on each line, -q removes some of the packet header information which is not interesting and finally we specify that we are only interested in TCP/IP packets.

My local IP address is 192.168.1.66 and the IP of the remote Twitter server in this case is 199.59.148.201. The http request starts on line 5 where you can see an outgoing connection to port 80:

    IP 192.168.1.66.55324 > 199.59.148.201.80: tcp 0

The following lines show the search results coming back. Of course, this trace is not very interesting as we cannot see the contents. You can add -x to the tcpdump command to see the actual packet contents but even that is not always that informative as you need to know how to decode and interpret the packet data. A quick and dirty way if you know you are dealing with http traffic is to add the -A option to get tcpdump to print the packet data in ASCII:

    $ tcpdump -n -t -i rvi0 -q -A tcp

    ...

    GET /search.json?rpp=100&q=apple HTTP/1.1

    Host: search.twitter.com

    User-Agent: TwitterSearch/1.0 CFNetwork/548.0.4 Darwin/11.0.0

    Accept: */*

    Accept-Language: en-us

    Accept-Encoding: gzip, deflate

    Cookie: k=86.168.77.194.5802087337bc706b

    Connection: keep-alive

    ...

    HTTP/1.1 200 OK

    Cache-Control: max-age=15, must-revalidate, max-age=300

    Expires: Tue, 07 Feb 2012 22:18:05 GMT

    Content-Type: application/json;charset=utf-8

    Vary: Accept-Encoding

    Date: Tue, 07 Feb 2012 22:13:06 GMT

    X-Varnish: 682230572

    Age: 0

    Via: 1.1 varnish

    Server: tfe

    Content-Encoding: gzip

    Content-Length: 12715

This is a minor improvement in that we can now see the HTTP GET request with the query we are using and see the HTTP response but we still cannot easily drop down into the JSON in the result to see what Twitter is sending back. For that we need to use a more sophisticated tool than tcpdump.

Using Wireshark

Whilst tcpdump is a quick and easy way to see and capture traffic it is not exactly an easy tool to use when you want to figure out what is going on. Wireshark is a much easier tool if you want perform deeper packet inspection or if you just prefer your network debugging tools to have a user interface. Luckily Mac OS X ports are readily available, if you are following along I downloaded and installed version 1.6.5 for OS X 10.6 (Snow Leopard) Intel 64-bit from here.

Once you have Wireshark installed and running you should see a list of available interfaces that it can capture. The one we are interested in is of course our virtual interface rvi0:

Selecting rvi0 switches us to a live capture of the packet data with a lot more information to help us decode and understand what is going on. This can be interesting to watch and see all of the things your iOS device is doing. For the purposes of this example it is useful to apply some filters so we can focus in on the HTTP request traffic. The easiest way to do that is to apply a display filter (Analyze -> Display Filters…). There are a number of pre-defined filter expressions including being able to limit the display to HTTP traffic:

Now if create our request it is immediately obvious what is going on as we can clearly see the HTTP GET request and the JSON response:

The central pane of wireshark allows you to drill down into the contents of each packet allowing us to see the JSON details:

The full packet decode is also available in the lower pane if you need to see the whole packet.

Wrapping Up

I should say that this post is not an attempt to explain everything involved in debugging network communications using tcpdump or wireshark. That is a huge topic and requires some knowledge of the underlying protocols. What I did want to make clear is that the tools you need to capture and analyse live traffic off your iOS device are readily available and take just a few minutes to get setup. It is not something you will (hopefully) need to use every day but it is well worth having it in your toolbox for those occasions when you need to debug network communications.

【转】ios 抓取 tcp/udp 包的更多相关文章

  1. tcpdump用于抓取tcp数据包

    一.简单使用:-c监听次数.-v打印详情.host后接监听地址 1.1.监听 tcpdump -c -v host www.baidu.com 1.2.访问被监听的网址: 1.3.查看监听的数据:

  2. ios 抓取真机的网络包

    一直被如何从真机上抓包所困扰!今天偶然看到了最简单有效的方法!分享一下: 原地址链接 http://blog.csdn.net/phunxm/article/details/38590561 通过 R ...

  3. 使用wireshark抓取TCP包分析1

    使用wireshark抓取TCP包分析1 前言 介绍 目的 准备工作 传输 创建连接 握手 生成密钥 发送数据 断开连接 结论 前言 介绍 本篇文章是使用wireshrak对某个https请求的tcp ...

  4. 用C++实现网络编程---抓取网络数据包的实现方法

    一般都熟悉sniffer这个工具,它可以捕捉流经本地网卡的所有数据包.抓取网络数据包进行分析有很多用处,如分析网络是否有网络病毒等异常数据,通信协议的分析(数据链路层协议.IP.UDP.TCP.甚至各 ...

  5. 以太网数据包、IP包、TCP/UDP 包的结构(转)

    源:以太网数据包.IP包.TCP/UDP 包的结构 版本号(Version):长度4比特.标识目前采用的IP协议的版本号.一般的值为0100(IPv4),0110(IPv6). IP包头长度(Head ...

  6. Fiddler - 工具配置及在ios抓取不了https的解决方法

    一.首先,官网下载最新版fiddler工具: https://www.telerik.com/fiddler 二.打开fiddler,点击Tools - Options 我电脑上的各项配置如下图(也可 ...

  7. Fiddler基础用法-抓取浏览器数据包

    Fiddler基础知识 Fiddler是强大的抓包工具,它的原理是以web代理服务器的形式进行工作的,使用的代理地址是:127.0.0.1,端口默认为8888,我们也可以通过设置进行修改. 代理就是在 ...

  8. iOS 网络编程 TCP/UDP HTTP

    一.HTTP协议的主要特点: 1. CS模式 2. 简单快速:只需要传送请求方法和路径.(常用方法有GET,HEAD,POST) 3. 灵活:任意对象都可以,类型由Content-Type加以标记 4 ...

  9. 利用wireshark抓取TCP的整个过程分析。

    原文地址:https://www.cnblogs.com/NickQ/p/9226579.html 最近,已经很久都没有更新博客了.看看时间,想想自己做了哪些事情,突然发现自己真的是太贪心,到头来却一 ...

随机推荐

  1. java调用ruby代码

    问题: 最近在做一个应用的时候碰到了一个问题.客户端需要调用服务器端传回的脚本信息,然后执行.其中脚本类型包括ruby.而java中调用ruby的代码大致如下: String jrubyCode=&q ...

  2. google运维解密

    1.运维团队与开发团队的矛盾: 运维追求业务的稳定.开发更关注新功能的添加与版本的快速迭代.但是由于业务更新,有很大可能导致故障.从本质上来说,两部门是矛盾的. deops应该是: 1.对重复性工作有 ...

  3. 使用FileSystemWatcher监视指定目录

    使用 FileSystemWatcher 监视指定目录中的更改.可监视指定目录中的文件或子目录的更改. 以下是一个简单的实例,用来监控指定目录下文件的新增.删除.重命名等情况(文件内容更改会触发多次, ...

  4. TabControl 选项卡控件

    TabControl 控件是由System.Windows.Forms.TabControl类提供的,作用就是讲相关的组件组合到一系列选项卡页面上.   MulitiLine 属性用来设置是否显示多行 ...

  5. JAVA工具系列之——Postman

    1 概述 Postman是一款测试rest接口的工具,可以实现前端未实施的情况下,后端同步开发.本文从部署到运用进行展开描写. 2 部署 第一步:进入Postman官网下载最新版本,下载链接 第二步: ...

  6. HTML颜色的三种写法

    颜色的三种写法: 1.16进制代码     #000000 2.英文字母         red 3.rgba                rgba(0-255,0,0,0-1) 例如: <b ...

  7. ps入门教程:photoshop工作界面

    请大家安装好PS(这不是废话嘛……),然后将PS的界面熟悉一下,消除对PS的惧怕心理~~学会新建文件和保存文件,学会设置参考线. 安装完毕后,打开PS,就进入了PS的操作界面,我们来看一下[图1.1] ...

  8. MyEclipse打包带源码的jar包

    平时开发中,我们喜欢将一些类打包成jar包,然后在别的项目中继续使用,不过由于看不到jar包里面的类的源码了,所以也就无法调试,要想调试,那么就只能通过关联源代码的形式,这样或多或少也有一些不方便,今 ...

  9. vue项目创建

    使用命令行工具npm新创建一个vue项目   使用vue开发项目的前期工作可以参考前面写的:  Vue环境搭建及node安装过程整理 Vue.js 提供一个官方命令行工具,可用于快速搭建大型单页应用. ...

  10. Vue.js学习(常用指令)

    Vue.js的指令是以v-开头,它们用于HTML元素,指令提供了一些特殊的特性,将指令绑定在元素上时,指令会为绑定的目标元素添加一些特殊的行为,我们可以将指令看作特殊的HTML特性. 本文参考:htt ...