iOS : Packet Capture with iOS device (iPhone, iPad)


I was trying to figure where the iOS updates were served from in the form of a hostname and wanted to do a packet capture on my iPhone, I was also interested to see if the Mac Mini caching servers was serving the requests or the internet, however being an iPhone there is an issue this is outlined below:

Official Packet Capture on iOS statement 

Apple : iOS doesn’t let you record a packet trace directly. However, you can use your Mac to record a packet trace on an attached iOS device using the Remote Virtual Interface (RVI) mechanism. To get started, first connect your iOS device to your Mac via USB. Next run the rvictl command in Terminal.

iOS packet trace : Apple hardware available

This means to complete a packet capture I need a MacBook or Apple hardware then with my iPhone connected to the USB-C port I need to use this command with the Developer tools installed:

rvictl -s <UDID>

I then need to get the UDID from the iPhone, unfortunately, it does not look like this can be done from the phone so you have to download iTunes, once iTunes is installed, you need to connect your iPhone to iTunes and when it’s detected by iTunes locate the serial number of your iPhone and then right click on that value and choose copy UDID as below:

Note : If you have a older versions of iTunes you will need to click the Serial Number to reveal the UDID and then right click to copy it


You don’t need to copy that UDID and issued the command outlined earlier Into your terminal window, which is example is the following:

$ rvictl -s b0e8fe79cd17d4993bd547418bfbdba70a4af2c5

Then when you issue this command you will see this is has connected as below:

Starting device b0e8fe79cd17d4993bd547418bfbdba70a4af2c5 [SUCCEEDED] with interface rvi0

Then from here you can start the packet capture with this command:

sudo tcpdump -i rvi0 -w trace.pcap

You then need to replicate you actions, in this case checking for iOS updates and then when finished press Ctrl+C to stop the trace, you will then need to analyse that file in Wireshark.

Annoyingly, this process cannot be completed on windows you actually have to have some Apple hardware in the form of a laptop or desktop device.

Diagnostic should not require Apple hardware

Apple hardware to diagnose problem with Apple devices, however, like with the repair ability and user replaceable components, Apple like to keep the gates locked when it comes to diagnostics.

Personally, I have found many times you can do a better troubleshooting session yourself rather than going to a Genius Bar appointments, if you have ever attended these, they can be quite disappointing and sometimes the so-called geniuses have the same IQ as a crayon 🖍️ 

I also do not like the excessive price of Apple hardware just because it’s got an Apple logo on it and the fact that you don’t get the best value for your money and if you’re only going to do Apple tasks, they’re lovely devices but if you wish to do a little bit more interesting actions with your laptop you will definitely require a Windows.

iOS packet trace : ❌ None Apple Hardware

This is easier as it does not require a Apple desktop or laptop and can be done from the iPhone, you also for this method do not need your UDID and you are doing it on your device with an application from the App Store.

HTTP Catcher

This is the application that will allow you to complete a network trace right off your iPhone by utilising the VPN configuration profile options, you can get it from this link below:

https://apps.apple.com/us/app/http-catcher/id1445874902

This is the application from the web store preview, ignore the bad reviews, clearly people do not know how to use this application as it works very well if you install it correctly, that will be covered in this blog.

First, you need to download this application to your iPhone then we can get configuring, I have the "pro" version as it offers some helpful features that I use, however this will also work on the free version as well.

Download the app from the App Store by using the link or searching for "http catcher"


Locate the App - which should be in your "Recently added" folder in the Library:


When http catcher is started try to start the network capture with the play button as below:



This will then ask you if you would like to install the VPN profile, when you choose "Allow" you will need to confirm your PIN and then the profile will be installed and you will be returned to the application:

Note:  if you have a managed device and that MDM blocks profile installs you will need to complete this action on a device that does not have this policy assigned.


That means you can now start capturing traffic that is coming from your iPhone however remember anything secured with HTTPS which is usually everything you will only get connect values as the VPN cannot see inside the secure tunnel.

HTTPS Decryption

If you are only after hostnames then that is all you need to do, but if you would like more information on the traffic destination and other variables you will need to enable HTTPS inspection or decryption then you will need to enable this decryption setting.

Note : There is zero difference between HTTPS decryption and man-in-the-middle (MiTM) the latter is the corporate version of saying "we are looking at all your traffic" without using the hacking term MiTM - however that is what this is.

I did enable this for this example and turn that on we need to follow some more steps, first we need the More option in the application then we need to enable "Decrypt HTTPS Traffic"



You will then be asked if you would like the configuration installed:


That will then open Safari and you should be asked if you would like to download the profile which is the certificate to trust:


When you allow you will be told that it has been downloaded and you need Settings to install it:


Open you settings where you will notice you have a new option named "Profile Downloaded" tap this option:


That will give you the profile settings which as we can see from below includes a certificate we need to install this, you will need to confirm you PIN once again to install this:


When this is installed head back to the main settings and then choose General:


Then we need the About option:



Then right at the bottom is the options for trusted certificates tap this option:


You will then see this new certificate listed but not enabled, tap the slider:



This will then ask you if you should like to install a root certificate:


You will then be given the the warning about what this will do and yes you need to trust it with install:


That should be confirmed with the slide being green on that certificate as below:


How return to the application enable the VPN once again and now you can see the destination and the data for that stream with the URL and all the images:



Mission Control : Back to the mission

Important : Ensure you have http watcher enabled with HTTPS decryption enabled before you complete the steps as you need to capture all the traffic.

Right, now the original mission was talking about Software Updates for iOS devices so lets get back on topic, so with this VPN enabled I need to navigate to my software update, so from your iPhone drop into General>Software Update as below:



You will then see iOS 17.7 and think, yuck, where is iOS 18 - well toward the bottom on the iOS 17.7 update you will see an option for iOS 18 tap on that:


This will then show you the iOS 18 update options from here you need to click Update Now as below:


This will then inform you that the update has been requested as below, leave it here for a moment:


We need the update to start downloading as that means it will have communicated to the server and started the application/octet-stream (which is the http content code for a download)


Once you have got to this stage you can navigate back to http watcher and stop the VPN and the traffic capture, the VPN will have done it job, when you go back to the application you will see all the traffic as below:


If you notice Get 6 which is the telltale binary/octet-stream which means this is the download request and the source of that request (being the red box) is not from the Internet but from the Mac Mini setup as a caching server.

Note : The IP address under the red box that’s been redacted for privay is the address for the Mac mini, while it’s absolutely impossible to talk to a private address from the Internet, I’ve redacted it anyway.

If you then check out that session you will notice that is is not being served from HTTP on TCP:443 but from TCP:49597 which is the caching server port internally and then you will notice the upstream source was indeed updates-cdn.apple.com (see the green arrow)


The "query" tab from http watcher will then confirm where the original source was located as below:


This means for this example, the update did not come from the Internet but the update came from the caching server internally onsite, furthermore this is how the updates work:

Normal Updates (no caching server)

iPhone > Internet > Apple CDN > Stream Update

Caching Server Updates (with a caching server)

In this example the iPhones do not talk the internet but only the caching server onsite meaning it will save your bandwidth and potential outages to the networks due to every iPhone trying to get the update, there is no link from the iPhone (hence the internet is on the caching server line below)

iPhone < > Mac Caching Server (from local cache)
Mac Caching Server > Internet > Apple CDN > Steam Update to local cache

MDM Remote Options : Deliver and Download are not the same

If you are using an MDM then you have the ability to block the update "window" that will control when iPhone can install the update, lets look at the options, if you go back to this location:


Then you will need to tap on the option labelled "Automatic Updates"


You will then get the options to configure updating which will look like this, please remember that the top option here for "automatic install" can be overridden by your MDM solution but the download option cannot at this present time:


What can MDM override?

Delay iOS Updates: You can use the MDM setting to defer major iOS updates for up to 90 days, but this only delays the installation, not the download.

Disable Notifications: You can manage how update notifications appear on devices, but this does not prevent background downloads.

Control Over OS Installations: Through Device Restrictions, you can restrict the ability to install updates, this does not prevent the system from downloading updates in the background.

How can I update this settings then

The downloading options can be manually toggled by users on their devices, meaning you cannot disable this specific "iOS Updates" automatic download option remotely through MDM profiles at this time.

What does Apple say about this in the MDM Framework?

Apple’s MDM framework currently allows some control over deferring installations or managing notifications, but not preventing the background download of updates. For complete control over this setting, it still requires manual interaction on each device, the user can turn this off, remotely you cannot, simples.

Previous Post Next Post

نموذج الاتصال