+ Reply to Thread
Results 1 to 2 of 2

Thread: iPhone, meet Wireshark - Capturing Traffic from Mobile Devices

  1. #1

    Lightbulb iPhone, meet Wireshark - Capturing Traffic from Mobile Devices

    I wanted to see what the apps on my iPhone do and as I searched around, most of the current methods seem to involve jail-breaking, setting up hubs and access points and other such cumbersome nastiness. Gotta be simpler than that. So we are releasing a simple libpcap tool that you can run on your Mac to intercept packets from any app on any mobile device. iPad, iPhone, Android are all fair game. Once you can capture, you can very easily fuzz and scale test with Mu Studio. More on that in a different blog.



    The instructions below were on my MacBook. So YMMV.

    Create an adhoc wireless network


    Use the Wireless icon on the top status bar and create a computer-to-computer Wireless network. This effectively makes your MacBook an access point (kinda).



    You’ll get the following dialog. Click okay. badboy is my machine name. Don’t ask why.



    Start Wireshark on en1


    Since we are interested in the application traffic, we use the the capture filter to prune out IGMP, MDNS and other such networky (scientific term) packets. If you are a packet geek, then leave the capture filter empty.



    Start the layer2 bridge


    Before you go huh, say what, l2bridge is the tool that we are releasing to the community. We expect that you have en0 (the wired network) hooked up to your LAN (home or office) with DHCP enabled.


    $ git clone git@github.comcapr/l2bridge.git $ cd ./l2bridge $ make $ sudo ./l2bridge en1 en0
    l2bridge is a really simple user-mode layer2 forwarder. It uses libpcap to read and write packets from the named interfaces. Packet comes in on en0, it goes out on en1 and vice versa. It kinda makes a virtual wire out of two physical interfaces interfaces.

    WARNING: If you bridge en1 and en0 without the adhoc network, you are going to cause serious broadcast storms on the network with ARP floods and all sorts of other nastiness!

    Okay, so we have everything ready except the iPhone.

    Point iPhone to our badboy network


    Go to Settings/General/WiFi and turn it on. You should see the adhoc network you created in step 1. Go ahead and join the network.



    Okay, I just used the Photo Booth to take the picture ‘cos I was too lazy. Anyways we are done!

    Topology


    So here’s how the whole thing looks:



    If your LAN has DHCP (recommended), your mobile device should get a lease and come up as any other host on the network. Once that happens, all its packets belongs to you!

    What to do with these packets?


    Well, a number of things:

    • Index 30 minutes worth of your iPhone traffic with xtractr and geek out with charting, reporting and analyzing everything your phone is doing
    • Be nice and pull out application traffic to contribute to the pcapr community
    • If you are a Mu customer, turn these packets into Studio scenarios so you can Fuzz and Scale test these apps

  2. #2
    Member ContributorNewbieNetwork Analysis Enthusiast
    Join Date
    Sep 2010
    Posts
    72
    Nice approach. Since you can make your mac an AP, makes it possible to capture packets on that AP. Gotta give it a try.

+ Reply to Thread

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts