Every now and then you need to find out what a client is trying to do. Sure, you could put your favourite packet capture device right next to the device and filter stuff out but sometimes you want to know exactly what the device is trying to reach or do. This will also give you the data that goes over cellular - Great for troubleshooting cellular handoff - if you wanted it.

I mainly work with Apple and iOS devices so for me this can be a nightmare! Mac’s are great thanks to the built-in capabilities of the OS. I was finding myself frustrated with why iOS couldn’t do the same so I started digging in the Developer Docs for an answer. Answer found! You can actually use your iOS networking stack as a Remote Virtual Interface (RVI) which will allow you to capture every TCP packet your device hears. All you need is Xcode, Wireshark a Mac and a lightning cable.

Here’s how:

Download and install Xcode

Plug your iOS device into your Mac and run the following in Terminal:

ifconfig -l 

This shows you your current network interfaces.

Next, open up the Music.app on Catalina and navigate to your device.

Click on the text below your iPhone’s name and it’ll cycle through extra details. Copy the line that includes the UUID

Paste this into a text editor and remove everything other than the UUID.

Then open up Terminal and use the following command:

rvictl -s [DEVICE UDID] (without the brackets)

Mine looks like this:

Now we should be able to use TCPDump to get a capture (or just use Wireshark).

Whilst this isn’t 802.11 frames we’re capturing it can be useful to know exactly what an app or device is trying to do.

I lay it at the feet of the community as my humble offering and continued mission to make all iOS devices slightly more useful in our line of work.

Last thoughts:

An RVI represents the entire networking stack of the iOS device; you cannot target a specific interface on the device as you would on the Mac. However, information about the interface is recorded in the packet metadata. You can use your packet trace tool to display the interface for each packet and filter the trace based on that interface. For the tcpdump tool, use the -k option to display packet metadata and tcpdump -Q to filter on it.