【转】ios 抓取 tcp/udp 包

原文: http://useyourloaf.com/blog/2012/02/07/remote-packet-capture-for-ios-devices.html

Remote Packet Capture for iOS Devices

FEB 7TH, 2012 11:33 PM

I previously posted about using the Network Link Conditioner to create realistic and “challenging” network conditions when testing iOS apps. In this post I want to highlight another useful network debugging tool which allows you capture network traffic from an iOS device.

Remote Virtual Interfaces

As with the Network Link Conditioner you need to use a host Mac computer to perform remote packet capture of an iOS device. The only other requirement is that the device be connected to the host computer via USB. No jailbreaking or hacking of your device is required to get this to work.

The basic technique is to create an OS X remote virtual network interface that represents the remote network stack of the iOS device. Once you have the virtual interface you can use your favourite network debugging tool such as tcpdump or wireshark to view the network traffic.

The steps to get the virtual network interface up and running are as follows:

  • Plug your iOS device into the USB port of your Mac.
  • Use the Xcode organizer to obtain the UDID of the device (the value you want is named Identifier):

  • The remote virtual interface is created using the rvictl command, using the UDID you obtained in the previous step. The following command needs to be entered in the terminal window:

      $ rvictl -s <UDID>

If you want to capture packets from more devices you can repeat this process with the UDID for each device. You can also use the rvictl command to list the active devices:

    $ rvictl -l

The virtual interfaces are named rvi0, rvi1, rvi2, etc. and like all network interfaces are viewable using the ifconfig command:

    $ ifconfig rvi0
    rvi0: flags=3005<UP,DEBUG,LINK0,LINK1> mtu 0

Finally when you are finished you can remove the virtual interface:

    $ rvictl -x <UDID>

Using tcpdump

The easiest way to capture and dump the network traffic is to use the tcpdump command which is included with OS X. The man page for tcpdump has lots of options but if you just want to see the live traffic the following will get you started:

    $ tcpdump -n -i rvi0

To better illustrate the results I will use the Twitter Search app I showed in an earlier post to generate a simple http request and response.

    $ tcpdump -n -t -i rvi0 -q tcp
    tcpdump: WARNING: rvi0: That device doesn‘t support promiscuous mode
    (BIOCPROMISC: Operation not supported on socket)
    tcpdump: WARNING: rvi0: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on rvi0, link-type RAW (Raw IP), capture size 65535 bytes
    IP 192.168.1.66.55101 > 192.168.1.64.51712: tcp 117
    IP 192.168.1.64.51712 > 192.168.1.66.55101: tcp 0
    IP 192.168.1.64.51712 > 192.168.1.66.55101: tcp 298
    IP 192.168.1.66.55101 > 192.168.1.64.51712: tcp 0
    IP 192.168.1.66.55324 > 199.59.148.201.80: tcp 0
    IP 199.59.148.201.80 > 192.168.1.66.55324: tcp 0
    IP 192.168.1.66.55324 > 199.59.148.201.80: tcp 0
    IP 192.168.1.66.55324 > 199.59.148.201.80: tcp 269
    IP 199.59.148.201.80 > 192.168.1.66.55324: tcp 0
    IP 199.59.148.201.80 > 192.168.1.66.55324: tcp 1428
    IP 199.59.148.201.80 > 192.168.1.66.55324: tcp 1428
    IP 199.59.148.201.80 > 192.168.1.66.55324: tcp 1428

Note the tcpdump options I am using to cut down some of the noise. The -t option gets rid of the timestamp on each line, -q removes some of the packet header information which is not interesting and finally we specify that we are only interested in TCP/IP packets.

My local IP address is 192.168.1.66 and the IP of the remote Twitter server in this case is 199.59.148.201. The http request starts on line 5 where you can see an outgoing connection to port 80:

    IP 192.168.1.66.55324 > 199.59.148.201.80: tcp 0

The following lines show the search results coming back. Of course, this trace is not very interesting as we cannot see the contents. You can add -x to the tcpdump command to see the actual packet contents but even that is not always that informative as you need to know how to decode and interpret the packet data. A quick and dirty way if you know you are dealing with http traffic is to add the -A option to get tcpdump to print the packet data in ASCII:

    $ tcpdump -n -t -i rvi0 -q -A tcp
    ...
    GET /search.json?rpp=100&q=apple HTTP/1.1
    Host: search.twitter.com
    User-Agent: TwitterSearch/1.0 CFNetwork/548.0.4 Darwin/11.0.0
    Accept: */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    Cookie: k=86.168.77.194.5802087337bc706b
    Connection: keep-alive
    ...
    HTTP/1.1 200 OK
    Cache-Control: max-age=15, must-revalidate, max-age=300
    Expires: Tue, 07 Feb 2012 22:18:05 GMT
    Content-Type: application/json;charset=utf-8
    Vary: Accept-Encoding
    Date: Tue, 07 Feb 2012 22:13:06 GMT
    X-Varnish: 682230572
    Age: 0
    Via: 1.1 varnish
    Server: tfe
    Content-Encoding: gzip
    Content-Length: 12715

This is a minor improvement in that we can now see the HTTP GET request with the query we are using and see the HTTP response but we still cannot easily drop down into the JSON in the result to see what Twitter is sending back. For that we need to use a more sophisticated tool than tcpdump.

Using Wireshark

Whilst tcpdump is a quick and easy way to see and capture traffic it is not exactly an easy tool to use when you want to figure out what is going on. Wireshark is a much easier tool if you want perform deeper packet inspection or if you just prefer your network debugging tools to have a user interface. Luckily Mac OS X ports are readily available, if you are following along I downloaded and installed version 1.6.5 for OS X 10.6 (Snow Leopard) Intel 64-bit from here.

Once you have Wireshark installed and running you should see a list of available interfaces that it can capture. The one we are interested in is of course our virtual interface rvi0:

Selecting rvi0 switches us to a live capture of the packet data with a lot more information to help us decode and understand what is going on. This can be interesting to watch and see all of the things your iOS device is doing. For the purposes of this example it is useful to apply some filters so we can focus in on the HTTP request traffic. The easiest way to do that is to apply a display filter (Analyze -> Display Filters…). There are a number of pre-defined filter expressions including being able to limit the display to HTTP traffic:

Now if create our request it is immediately obvious what is going on as we can clearly see the HTTP GET request and the JSON response:

The central pane of wireshark allows you to drill down into the contents of each packet allowing us to see the JSON details:

The full packet decode is also available in the lower pane if you need to see the whole packet.

Wrapping Up

I should say that this post is not an attempt to explain everything involved in debugging network communications using tcpdump or wireshark. That is a huge topic and requires some knowledge of the underlying protocols. What I did want to make clear is that the tools you need to capture and analyse live traffic off your iOS device are readily available and take just a few minutes to get setup. It is not something you will (hopefully) need to use every day but it is well worth having it in your toolbox for those occasions when you need to debug network communications.

时间: 2024-08-06 08:02:39

【转】ios 抓取 tcp/udp 包的相关文章

用C++实现网络编程,抓取网络数据包的实现方法和介绍

做过网管或协议分析的人一般都熟悉sniffer这个工具,它可以捕捉流经本地网卡的所有数据包.抓取网络数据包进行分析有很多用处,如分析网络是否有网络病毒等异常数据,通信协议的分析(数据链路层协议.IP.UDP.TCP.甚至各种应用层协议),敏感数据的捕捉等.下面我们就来看看在windows下如何实现数据包的捕获. 下面先对网络嗅探器的原理做简单介绍. 嗅探器设计原理 嗅探器作为一种网络通讯程序,也是通过对网卡的编程来实现网络通讯的,对网卡的编程也是使用通常的套接字(socket)方式来进行.但是,

wireshark抓取OpenFlow数据包

在写SDN控制器应用或者改写控制器源码的时候,经常需要抓包,验证网络功能,以及流表的执行结果等等,wireshark是个很好的抓包分析包的网络工具,下面简介如何用wireshark软件抓取OpenFlow数据包 一. wireshark2.0.0 wireshark2.0.0直接内置了OpenFlow协议,只需要安装wireshark2.0.0即可. 在安装wireshark之前需要安装一些依赖包: sudo apt-get install bison flex libpcap-dev gcc

Wireshark学习笔记——如何快速抓取HTTP数据包

0.前言 在火狐浏览器和谷歌浏览器中可以非常方便的调试network(抓取HTTP数据包),但是在360系列浏览器(兼容模式或IE标准模式)中抓取HTTP数据包就不那么那么方便了.虽然也可使用HttpAnalyzer等工,但是毕竟都是收费软件.只需通过合适的过滤和操作,Wireshark也可抓取HTTP请求和响应.下面便说明具体操作. 假设在8080端口运行一个HTTP服务器,本例中使用Python Flask运行一个HTTP服务并侦听8080端口,实现一个简单的加法运算,网页中通过ajax提交

wireshark在windows下无法抓取localhost数据包

在调试SSL时要抓包,通过tcpview和minisniffer等工具明明看到tcp连接已经建立并开始收发数据了,但wireshark却总是无法抓到相应的数据包. 今天早上,HQ的高工告诉我“wireshark在windows下无法抓取localhost数据包”,得使用其他工具. http://stackoverflow.com/questions/5847168/wireshark-localhost-traffic-capture you can capture on the loopbac

以太网数据包、IP包、TCP/UDP 包的结构(转)

源:以太网数据包.IP包.TCP/UDP 包的结构 版本号(Version):长度4比特.标识目前采用的IP协议的版本号.一般的值为0100(IPv4),0110(IPv6). IP包头长度(Header Length):长度4比特.这个字段的作用是为了描述IP包头的长度,因为在IP包头中有变长的可选部分.该部分占4个bit位,单位为32bit(4个字节),即本区域值 = IP头部长度(单位为bit)/ (8*4),因此,一个IP包头的长度最长为“1111”,即15*4=60个字节.IP包头最小

利用wireshark抓取TCP的整个过程分析。

原文地址:https://www.cnblogs.com/NickQ/p/9226579.html 最近,已经很久都没有更新博客了.看看时间,想想自己做了哪些事情,突然发现自己真的是太贪心,到头来却一个都没搞好.手头的嵌入式都还没学出名堂,竟然还想着学FPGA,物联网,机器学习.然而,遇到新奇的事物,就会控制不住的去想,去找资料,实际上只是逃避遇到的问题,不想去解决而已..最后的结果就是手头的活堆起来了,然后花大把整块的时间解决.真的是讨厌现在的自己. 以后还是慢慢记录吧,不管做了什么,都慢慢尝

第三次实验报告:通过抓取TCP了解运输层

第三次实验报告:通过抓取TCP了解运输层 姓名:王璐璐 学号:201821121037 班级:计算1812 0 摘要 在本次实验中,通过对TCP报文的解析,理解TCP协议的连接建立与连接释放过程,以此了解运输层之间可靠传输的工作原理.在使用Cisco Packet Tracer时,将会通过路由器来连接客户端与服务器,在此次实验中还会使用命令行来设置路由器,以此达到网络的联通. 1 实验目的 使用路由器连接不同的网络 使用命令行操作路由器 通过抓取HTTP报文,分析TCP连接建立的过程 2 实验内

Fiddler:在PC和移动设备上抓取HTTPS数据包

Fiddler是一个免费的Web调试代理,支持任何浏览器.系统以及平台.这个工具是进行Web和App网络开发的必备工具,戳此处下载. 根据Fiddler官网的描述,具有以下六大特点: Web调试 性能测试 HTTP/HTTPS流量记录 Web会话处理 安全测试 自定义扩展性 本文讨论的主要内容是如何设置Fiddler,使PC和移动设备上可以抓取HTTPS数据包. 首先,在菜单栏选择Tools->FiddlerOptions,切换到Connections选项卡 第二步,勾选允许远程连接,并设置一个

wireshark抓取本地数据包

windows系统中,本地向自身发送数据包没有经过真实的网络接口,而是通过环路(loopback interface)接口发送,所以使用基于只能从真实网络接口中抓数据的winpcap是无法抓取本地数据包,需要使用npcap,npcap是基于winpcap 4.1.3开发的,api兼容WinPcap,并且提供“npcap loopback adapter”用于抓取本地向自身发送的数据包. 使用方法: 1.下载安装WireShark,版本号必须是高于 1.12.8和 1.99.9,已安装就不用装了,