Packet tracing with iPhone

In order to troubleshoot ‘eduroam’ connectivity, I needed to capture traffic off an iPhone to see what was actually going on.

This is what I had to do to make this possible:

  • Jailbreak an iPhone (yes, it needs to be jailbroken and have access to the Cydia application store)
  • Install ‘tcpdump’ and ‘MobileTerminal‘ from Cydia
  • If you also want to transfer the .pcap-files from the iPhone via a USB cable to a (Windows) PC you also need to install ‘Apple File Conduit “2” ‘ on the iPhone.
    On the PC you will need iTunes and iExplorer (https://www.macroplant.com/iexplorer/)
  • open ‘MobileTerminal’ on the iPhone and enter ‘Root’ mode:
    type in ‘su’ and use the default password of ‘alpine’
  • (then type in passwd root and change the password to something else)
  • next start up tcpdump and start capturing traffic:
    ‘tcpdump -i en0 -w capturefil.pcap -s 0’
    -i en0 tells to trace off WLAN card
    (use -D to list available interfaces)
    -w specifies the file to write to
    -s is to make sure packets are saved in their entire length
  • to re run the last command type ‘!-1’ – that will save you some work typing long commands over and over again.
  • to copy/move the resulting .pcap-file to a PC, connect the iPhone to the PC via a USB cable and use iExplorer to browse to ‘root/var/mobile’ where the file will reside by default.

My interfaces were as follows:
1: pdp_ip0  (GSM-network)
2: en0           (WLAN)
3: lo0            (local loopback)

More information on available options for ‘tcpdump’ can be found here: www.tcpdump.org