Dailey News

After the iPhone IMEI non-story last week, I thought it would be useful to document how easy it is to sniff your own iPhone traffic if you want to do any testing or investigation on your own. The problem with the story last week was that no one had taken a few minutes to actually look at traffic on the wire, everyone just blindly repeated the same story. Sniffing your own iPhone traffic isn’t hard. Mac OS X even has built-in tools to help you do it.

Step 1: Required equipment.

You’ll need:
* A wired connection to the internet.
* A Mac that has both a wired and wireless connection, really any portable, iMac or Mac Mini and many other systems will work.
* Mac OS X (Either Tiger or Leopard will work. Screenshots in this article are of Leopard, and Tiger looks somewhat different but has the same functionality.)
* The ability to type some commands in Terminal.

We’ll be using built-in software (tcpdump) for this, but for extra functionality you can install Wireshark. We’ll cover this later.

Step 2: Setting up Internet Sharing.

Tiger and Leopard have a feature that allows you to share your wired ethernet connection over your built-in wireless. Effectively you are turning your Mac into a temporary wireless access point. These screenshots are from Leopard, which looks somewhat different than Tiger, but the basic steps are the same on Tiger.

Before you start, make sure you’ve got a wired ethernet connection to your Mac.

Go to System Preferences, then to Sharing, then to Internet Sharing.

Set up sharing to go from your built-in Ethernet to Airport, like so:

Click the Airport Options box and give the access point a useful name, like “test”. You can use WEP security if you want, but since you’ll only be running this for a few minutes, it’s easier just to leave it open. Just don’t forget to shut it off when you’re done.

Back on the Internet Sharing screen, click the checkbox on the left to turn Internet Sharing on.

Step 3: Connect your iPhone to your Mac.

On your iPhone, go to Settings, then to Wi-Fi, and connect to your test network.

Step 4: Find your network interface on your Mac and iPhone.

Start Network Utility on your Mac and on the first Info tab run through your network interfaces. One should have a 10.0.2.1 address. That’s your temporary wireless access point’s address. Note the interface number of this interface. (Mine is en1, for example.) We’ll need that later.

On your iPhone, go to Settings, then to Wi-fi, and then click the blue circle with a “>” next to your test wifi network. You should see an IP Address of 10.0.2.2 or similar.

Step 5: Test your connection.

At this point you should be able to to use Safari on you iPhone to get out to an internet site. Try the always-handy http://whatismyip.com

If you can get out, then we’re done with the set-up and you have a completely working test bed for our packet sniffing.

Step 6: Sniff some traffic

Mac OS X already has a built-in packet sniffer called tcpdump. It’s useful for getting basic information about what’s going on. To use tcpdump open up Terminal and type the following command.

sudo tcpdump -i en1 -A -s 0

If you found a different interface than ‘en1’ in Step 4, use that in place of en1.

You’ll end up with some rather cryptic output that looks like this:

10:39:37.299255 IP 10.0.2.2.50327 > 66.230.165.157.http: S 2056:2056(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 127850900 0,sackOK,eol>
E..@&.@.@..7
...B......P.............Z.............
............
10:39:37.383132 IP 66.230.165.157.http > 10.0.2.2.50327: S 3906021356:3906021356(0) ack 2057 win 5792 <mss 1460,nop,nop,timestamp 2852411112 127850900,nop,wscale 0>
E .<..@./.W.B...
....P....'.... ...............
..V.........
10:39:37.385589 IP 10.0.2.2.50327 > 66.230.165.157.http: . ack 1 win 65535 <nop,nop,timestamp 127850900 2852411112>
E..4&.@.@..B
...B......P... ..'......h.....
......V.
10:39:37.390488 IP 10.0.2.2.50327 > 66.230.165.157.http: P 1:382(381) ack 1 win 65535 <nop,nop,timestamp 127850900 2852411112>
E...&.@.@...
...B......P... ..'.....?......
......V.GET / HTTP/1.1
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420.1 (KHTML, like Gecko) Version/3.0 Mobile/3B48b Safari/419.3
Cache-Control: max-age=0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Connection: keep-alive
Host: goat.cx


Telling you how to read this output is beyond the scope of this post, but what you’re seeing is the raw data going between the iPhone and any other internet site.

When you’re done, don’t forget to shut down you Internet Sharing in System Preferences.

Bonus Step 7: Wireshark

Wireshark is a nice graphical packet analyzer that runs under X11 on OS X. To install it you’ll need to have the Apple Developer Tools and X11 installed. Assuming you have those, you can either install Wireshark through MacPorts or grab a pre-configured version of Wireshark from Andreas Fink. In either case you need to make one small change to the X11 config to make Wireshark work under Leopard. Under X11.app, go to preferences, then to the Output tab, and under that choose “Thousands” for colors. Quit X11.app and restart.

Wireshark gives you much nicer output than tcpdump, and makes it much easier to browse the packets and see what’s going on. (Click for a larger screenshot.)

Conclusions

While it does require a fair amount of technical knowledge to set all this up, there’s really no excuse for a reasonably technical person with a Mac and an iPhone to not check things out themselves the next time a “OMG THE IPHONE SENDS YOUR TAX RECORDS TO RUSSIA”-style story hits the blogs.