iPhone, meet Wireshark – Capturing Traffic from Mobile Devices

October 10, 2010 by kowsik

I wanted to see what the apps on my iPhone do and as I searched around, most of the current methods seem to involve jail-breaking, setting up hubs and access points and other such cumbersome nastiness. Gotta be simpler than that. So we are releasing a simple libpcap tool that you can run on your Mac to intercept packets from any app on any mobile device. iPad, iPhone, Android are all fair game. Once you can capture, you can very easily fuzz and scale test with Mu Studio. More on that in a different blog.

The instructions below were on my MacBook. So YMMV.

Create an adhoc wireless network

Use the Wireless icon on the top status bar and create a computer-to-computer Wireless network. This effectively makes your MacBook an access point (kinda).

wireless-menu.png

You’ll get the following dialog. Click okay. badboy is my machine name. Don’t ask why.

create-network.png

Start Wireshark on en1

Since we are interested in the application traffic, we use the the capture filter to prune out IGMP, MDNS and other such networky (scientific term) packets. If you are a packet geek, then leave the capture filter empty.

start-wireshark.png

Start the layer2 bridge

Before you go huh, say what, l2bridge is the tool that we are releasing to the community. We expect that you have en0 (the wired network) hooked up to your LAN (home or office) with DHCP enabled.

$ git clone git@github.com:pcapr/l2bridge.git
$ cd ./l2bridge
$ make
$ sudo ./l2bridge en1 en0

l2bridge is a really simple user-mode layer2 forwarder. It uses libpcap to read and write packets from the named interfaces. Packet comes in on en0, it goes out on en1 and vice versa. It kinda makes a virtual wire out of two physical interfaces interfaces.

WARNING: If you bridge en1 and en0 without the adhoc network, you are going to cause serious broadcast storms on the network with ARP floods and all sorts of other nastiness!

Okay, so we have everything ready except the iPhone.

Point iPhone to our badboy network

Go to Settings/General/WiFi and turn it on. You should see the adhoc network you created in step 1. Go ahead and join the network.

pick-badboy.jpg

Okay, I just used the Photo Booth to take the picture ‘cos I was too lazy. Anyways we are done!

Topology

So here’s how the whole thing looks:

topology.png

If your LAN has DHCP (recommended), your mobile device should get a lease and come up as any other host on the network. Once that happens, all its packets belongs to you!

What to do with these packets?

Well, a number of things:

  • Index 30 minutes worth of your iPhone traffic with xtractr and geek out with charting, reporting and analyzing everything your phone is doing
  • Be nice and pull out application traffic to contribute to the pcapr community
  • If you are a Mu customer, turn these packets into Studio scenarios so you can Fuzz and Scale test these apps

May the packets be with you (well, share some of it back to the community, will ya?).

Categories: Announcements, C++, Forensics, pcapr, Tools, Wireshark
10,716 Comments
Bookmark and Share