mac上连接iphone进行真机抓包

I previously posted about using the Network Link Conditioner to create realistic and “challenging” network conditions when testing iOS apps. In this post I want to highlight another useful network debugging tool which allows you capture network traffic from an iOS device.

Remote Virtual Interfaces

As with the Network Link Conditioner you need to use a host Mac computer to perform remote packet capture of an iOS device. The only other requirement is that the device be connected to the host computer via USB. No jailbreaking or hacking of your device is required to get this to work.

The basic technique is to create an OS X remote virtual network interface that represents the remote network stack of the iOS device. Once you have the virtual interface you can use your favourite network debugging tool such as tcpdump or wireshark to view the network traffic.

The steps to get the virtual network interface up and running are as follows:

• Plug your iOS device into the USB port of your Mac.
• Use the Xcode organizer to obtain the UDID of the device (the value you want is named Identifier):

• The remote virtual interface is created using the rvictl command, using the UDID you obtained in the previous step. The following command needs to be entered in the terminal window:

    $ rvictl -s <UDID>

If you want to capture packets from more devices you can repeat this process with the UDID for each device. You can also use the rvictl command to list the active devices:

    $ rvictl -l

The virtual interfaces are named rvi0, rvi1, rvi2, etc. and like all network interfaces are viewable using the ifconfig command:

    $ ifconfig rvi0    rvi0: flags=3005<UP,DEBUG,LINK0,LINK1> mtu 0

Finally when you are finished you can remove the virtual interface:

    $ rvictl -x <UDID>

Using tcpdump

The easiest way to capture and dump the network traffic is to use the tcpdump command which is included with OS X. The man page for tcpdump has lots of options but if you just want to see the live traffic the following will get you started:

    $ tcpdump -n -i rvi0

To better illustrate the results I will use the Twitter Search app I showed in an earlier post to generate a simple http request and response.

    $ tcpdump -n -t -i rvi0 -q tcp    tcpdump: WARNING: rvi0: That device doesn't support promiscuous mode    (BIOCPROMISC: Operation not supported on socket)    tcpdump: WARNING: rvi0: no IPv4 address assigned    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode    listening on rvi0, link-type RAW (Raw IP), capture size 65535 bytes    IP 192.168.1.66.55101 > 192.168.1.64.51712: tcp 117    IP 192.168.1.64.51712 > 192.168.1.66.55101: tcp 0    IP 192.168.1.64.51712 > 192.168.1.66.55101: tcp 298    IP 192.168.1.66.55101 > 192.168.1.64.51712: tcp 0    IP 192.168.1.66.55324 > 199.59.148.201.80: tcp 0    IP 199.59.148.201.80 > 192.168.1.66.55324: tcp 0    IP 192.168.1.66.55324 > 199.59.148.201.80: tcp 0    IP 192.168.1.66.55324 > 199.59.148.201.80: tcp 269    IP 199.59.148.201.80 > 192.168.1.66.55324: tcp 0    IP 199.59.148.201.80 > 192.168.1.66.55324: tcp 1428    IP 199.59.148.201.80 > 192.168.1.66.55324: tcp 1428    IP 199.59.148.201.80 > 192.168.1.66.55324: tcp 1428 

Note the tcpdump options I am using to cut down some of the noise. The -t option gets rid of the timestamp on each line, -q removes some of the packet header information which is not interesting and finally we specify that we are only interested in TCP/IP packets.

My local IP address is 192.168.1.66 and the IP of the remote Twitter server in this case is 199.59.148.201. The http request starts on line 5 where you can see an outgoing connection to port 80:

    IP 192.168.1.66.55324 > 199.59.148.201.80: tcp 0

The following lines show the search results coming back. Of course, this trace is not very interesting as we cannot see the contents. You can add -x to the tcpdump command to see the actual packet contents but even that is not always that informative as you need to know how to decode and interpret the packet data. A quick and dirty way if you know you are dealing with http traffic is to add the -A option to get tcpdump to print the packet data in ASCII:

    $ tcpdump -n -t -i rvi0 -q -A tcp    ...    GET /search.json?rpp=100&q=apple HTTP/1.1    Host: search.twitter.com    User-Agent: TwitterSearch/1.0 CFNetwork/548.0.4 Darwin/11.0.0    Accept: */*    Accept-Language: en-us    Accept-Encoding: gzip, deflate    Cookie: k=86.168.77.194.5802087337bc706b    Connection: keep-alive    ...    HTTP/1.1 200 OK    Cache-Control: max-age=15, must-revalidate, max-age=300    Expires: Tue, 07 Feb 2012 22:18:05 GMT    Content-Type: application/json;charset=utf-8    Vary: Accept-Encoding    Date: Tue, 07 Feb 2012 22:13:06 GMT    X-Varnish: 682230572    Age: 0    Via: 1.1 varnish    Server: tfe    Content-Encoding: gzip    Content-Length: 12715 

This is a minor improvement in that we can now see the HTTP GET request with the query we are using and see the HTTP response but we still cannot easily drop down into the JSON in the result to see what Twitter is sending back. For that we need to use a more sophisticated tool than tcpdump.

Using Wireshark

Whilst tcpdump is a quick and easy way to see and capture traffic it is not exactly an easy tool to use when you want to figure out what is going on. Wireshark is a much easier tool if you want perform deeper packet inspection or if you just prefer your network debugging tools to have a user interface. Luckily Mac OS X ports are readily available, if you are following along I downloaded and installed version 1.6.5 for OS X 10.6 (Snow Leopard) Intel 64-bit from here.

Once you have Wireshark installed and running you should see a list of available interfaces that it can capture. The one we are interested in is of course our virtual interface rvi0:

Selecting rvi0 switches us to a live capture of the packet data with a lot more information to help us decode and understand what is going on. This can be interesting to watch and see all of the things your iOS device is doing. For the purposes of this example it is useful to apply some filters so we can focus in on the HTTP request traffic. The easiest way to do that is to apply a display filter (Analyze –> Display Filters…). There are a number of pre-defined filter expressions including being able to limit the display to HTTP traffic:

Now if create our request it is immediately obvious what is going on as we can clearly see the HTTP GET request and the JSON response:

The central pane of wireshark allows you to drill down into the contents of each packet allowing us to see the JSON details:

The full packet decode is also available in the lower pane if you need to see the whole packet.

Wrapping Up

I should say that this post is not an attempt to explain everything involved in debugging network communications using tcpdump or wireshark. That is a huge topic and requires some knowledge of the underlying protocols. What I did want to make clear is that the tools you need to capture and analyse live traffic off your iOS device are readily available and take just a few minutes to get setup. It is not something you will (hopefully) need to use every day but it is well worth having it in your toolbox for those occasions when you need to debug network communications.

在进行iOS开发过程中，经常会遇到各种各样的网络访问问题，以前苦于没有抓包工具，很多网络问题解决起来很痛苦。现在终于好了，本文提供两种方式进行网络抓包：

 

2. 网络共享 + 可视化抓包工具

• 基本原理

原理比较简单，ios设备通过代理方式共享连接mac电脑的无线网卡，使用抓包工具抓包，然后进行分析（我们推荐使用Wireshark，在MAC系统上也可以使用Paros工具）。

现在以MAC系统下Paros工具为例，详细描述下抓包过程：

• 操作步骤

1)  首先将MAC电脑的以太网共享给airport，使iOS设备能够通过wifi连接

打开系统偏好设置，找到共享，选择internet共享，在右侧“通过以下方式将”选择以太网，“连接共享给其他电脑”选择airPort。

2)  打开paros ，设置paros的本地代理paros下载地址（http://www.parosproxy.org/）

在paros的tools－》options中选择local proxy，在Address 中输入AirPort的ip地址。输入端口8080。打开系统偏好设置，找到网络，选择左侧的AirPort，可以看到AirPort的地址为169.254.69.225，将该地址填入到上面提到的Address栏中。

3)  使用ios设备连接mac共享出来的网络：在iOS设备中，选择设置－》通用－》网络－》wifi，找到共享的网络，加入。然后在该网络的纤细内容中的http代理部分，选择手动，输入paros中设置的代理ip和端口。

4)  下面就可以使用paros来监控iOS设备的网络，我们打开Safiri，在paros中即可察看到网络的所有请求。

 

3. tcpdump命令 + 可视化抓包工具

• 基本原理

tcpdump命令是一个网络的抓包的命令行，他能指定具体的设备，也能制定具体的五元组进行捕获链路上的数据包。它可以再终端上打印出来也可以将捕获到得数据写入到一个文件，文件的格式是二进制形式，所以，我在打开该文件的时候才用的工具是UltraEdit。

      当然也可以保存成Wireshark能够识别的pcap格式，然后使用Wireshark进行查看。

     前提条件：机器要破解，cydia能打开

     需要工具
     1.openssh
     2.tcpdump

安装工具方法：
1.连接网络，打开cydia
2.确认Cydia设置为开发者模式(管理->设置->开发者)，在Cydia时面搜索openssh,tcpdump并安装

连接方法：
1.找到一台电脑与iPhone连接同一个Wifi,在PC能ping通iPhone

   获取设备IP地址(wifi地址)：
2.在PC的命令行界面输入ssh root@iphoneip

3.提示连接ssh,输入yes
4.输入密码alpine (root用户的默认密码)
5.正常显示登录iPhone成功命令行前面为"iphone手机名字"
6.输入tcpdump，正常可以看到很多包信息显示

通过“tcpdump -X -s0  -w /data.pcap”命令将tcp数据包保存到iOS设备的根目录下。
7.ctrl+c停止抓包
8.tcpdump带参简介
  a.tcpdump -X -s0 -w /tmp.cap  //抓全包写文件
  b.tcpdump -X -s0 host www.qq.com //主机全包
  c.tcpdump -X -s0 port 14000   //抓端口全包
  d.可以配合以上参数抓包

  e、tcpdump使用用法综合如下

         tcpdump的命令格式和参数说明：

    tcpdump [ -adeflnNOpqStvx ] [ -c 数量 ] [ -F 文件名 ]

　　　　　　[ -i 网络接口 ] [ -r 文件名] [ -s snaplen ]

　　　　　　[ -T 类型 ] [ -w 文件名 ] [表达式 ]

     选型介绍：

      -a 　　  将网络地址和广播地址转变成名字；

　　-d 　　  将匹配信息包的代码以人们能够理解的汇编格式给出；

　　-dd 　　将匹配信息包的代码以c语言程序段的格式给出；

　　-ddd 　 将匹配信息包的代码以十进制的形式给出；

　　-e 　　  将捕获的包数显示出来

　　-f 　　　将外部的Internet地址以数字的形式打印出来；

　　-l 　　　使标准输出变为缓冲行形式；

　　-n 　　 不把网络地址转换成名字；

　　-t 　　  在输出的每一行不打印时间戳；

　　-v 　　 输出一个稍微详细的信息，例如在ip包中可以包括ttl和服务类型的信息；

　　-vv 　   输出详细的报文信息；

　　-c 　　 在收到指定的包的数目后，tcpdump就会停止；

　　-F 　　 从指定的文件中读取表达式,忽略其它的表达式；

　　-i 　　  指定监听的网络接口；

　　-r 　　 从指定的文件中读取包(这些包一般通过-w选项产生)；

　　-w 　　直接将包写入文件中，并不分析和打印出来；

　　-T 　　 将监听到的包直接解释为指定的类型的报文，常见的类型有rpc （远程过程调用）和snmp（简单网络管理协议；）

 

    在使用该命令的时候，我主要使用的主要选项是:  -i [接口名]  -w [文件名]  -v -vv  -c -X -e

    例如：

    我在从eth0捕获100个数据包的时候，并将数据写入到capture.cap文件中，命令格式为：

    tcpdump -i eth0 -w capture.cap -v -vv -c 100 -X -e

    抓取一个一个ip段之间的数据包：

    tcpdump –s 0 –w socket host 10.1.3.9 and host 10.1.3.84

    如果从eth0且通信协议端口为22，目标IP为192.168.1.100获取数据：

    tcpdump -i eth0 port 22 and src host 192.168.1.100

    此外还有其他的一些关键词：host,(主机) ， net( 网关)， port(端口) ， src(源IP) , dst(目的IP), 正则表达式：and , or。

 9.在PC上用Ethereal分析抓包文件数据 或者 通过91助手等工具取出pcap文件，在Windows下使用双击使用Wireshark打开查看

4、 mac上通过internet共享进行抓包

本文用例的需求是：抓取iOS浏览器的html数据包。

手头有连着网线的iMac一台(Mac OS X 10.7.2)，iOS设备一部。

1. 首先我们关闭Wi-Fi，如图1：

图1  ↑

接下来这步不是必须，为提高一次性成功率，还请照做：

• 删除所有的Wi-Fi记录

点图1右下角的Advanced按钮，选到Wi-Fi的Tab，点 – 减号按钮删除干净，如图2，

图2  ↑

 

2. 设置Sharing，如图3，先找到Sharing

图3  ↑

 

到Sharing设置界面后，按照图4上的红圈1234点一下：

图4  ↑

 

然后按照图5设置Wi-Fi和密码，这里我们选择5位字母的即可：

图5  ↑

 

 

点击OK之后，回到Sharing设置界面，此时我们照图6、图7、图8操作即可:

图6  ↑

 

图7  ↑

 

这里请注意一下，系统最右上方的Wi-Fi变成向上箭头，是成功的标志哦！

图8  ↑

 

3. 测试连接，用iPhone搜索这个AP，输入密码，连接成功！图9，图10：

    

图9   ↑                                            图10  ↑

 

4. 安装抓包工具：Wireshark，准备抓包！

下载地址：

http://www.wireshark.org/download.html

我下载的版本是：

OS X 10.6 (Snow Leopard) Intel 64-bit .dmg

顺带提一句，Wireshare是开源的，基于X11的，十分难得。

打开Wireshark后，如图点击en1，就开始抓包啦，图11:

图11  ↑

 

接下来我用iPhone访问 http://www.cocoachina.com/bbs 试试看，图12：

图12  ↑

效果不错哦：）