[Turn] iphone does not jailbreak capture package

Remote Virtual Interface

added RVI (Remote Virtual Interface) after iOS 5, which allows us to use OS X to capture data packets on ios device.
The basic method is to connect the device to the mac via USB. Then install RVI for this device. This virtual network card on the Mac represents the network card used by this ios device. Then run the packet capture tool on the mac and locate the virtual network card to capture packets.

(1) To install RVI, you need to use the rvictl tool. The following steps are performed in the terminal of mac:

$ # First get the current list of interfaces.
$ ifconfig -l
lo0 gif0 stf0 en0 en1 p2p0 fw0 ppp0 utun0
$ # Then run the tool with the UDID of the device.
$ rvictl -s 74bd53c647548234ddcef0ee3abee616005051ed

Starting device 74bd53c647548234ddcef0ee3abee616005051ed [SUCCEEDED]

$ # Get the list of interfaces again, and you can see the new virtual $
# network interface, rvi0, added by the previous command.

lo0 gif0 stf0 en0 en1 p2p0 fw0 ppp0 utun0 rvi0

(2) After the installation is successful, you can actually use any packet capture tool to capture it. Including wireshark, etc. Because then you will see an rvi0 network card. But today we introduce it through tcpdump.
Enter the following command in the terminal:

sudo tcpdump -i rvi0 -n -s 0 -w dump.pcap tcp
Explain the meaning of the above important parameters:

-i rvi0 Select the interface to be captured as rvi0 (remote virtual interface)

-s 0 Capture all data packets

-w dump.pcap Set the saved file name

tcp Capture only tcp packets

When tcpdump runs, you can start browsing the app you want to capture on the iOS device, and the data packets generated during the period will be saved to In the dump.pcap file, you can directly terminate tcpdump when you want to end the capture. Then find the dump.pcap file in mac. It's ok to open it with wireshark.

(3) Remove the RVI virtual network card and use the following command:

$ rvictl -x 74bd53c647548234ddcef0ee3abee616005051ed

Stopping device 74bd53c647548234ddcef0ee3abee616005051ed [SUCCEEDED]

Guess you like

Origin http://10.200.1.11:23101/article/api/json?id=326924310&siteId=291194637