Network sniffing on the iPhone

Monitoring the network activity of your device is one of the best ways to debug network related bugs. A lot of times hours of frustrating debugging can be solved by simply looking at the actual packets your device is sending to the internet. Also, and you didn’t hear it from me, it is a very useful method to see what other apps are doing.

This tutorial assumes familiarity with network analysis tool such as Paros and Wireshark. I will not show how to use those tools, or the scenarios where you need to use them, but I will show two very simple ways to use those tool to monitor network activity on your iPhone.

Those methods will work only for wi-fi connections. Monitoring the network activity on 3G is much much more complicated and I will not deal with it today.

Using an http proxy

The simplest way to monitor your activity is to set a HTTP proxy. My favorite HTTP proxy is Paros, but there are a lot of different ones out there.
To use Paros to monitor you network activity follow those steps:

  1. Download and install Paros, and run it
  2. Find out your computer’s IP address from System Preferences -> Network.

  3. Configure Paros – set the local proxy address to [Your IP address]

  4. On your iPhone, visit Settings -> Wi-Fi -> arrow button of you selected wifi
  5. Set HttpProxy to Manual and enter:
    1. Server – [Your IP address]
    2. Port – 8080
    3. Authentication – Off

  6. That’s it. Now when you’ll work with the iPhone, you will see the Paros window filling with your HTTP requests

You can of course use the same method to monitor your iPhone simulator. This is even simpler, just set Paros’ “Local proxy address” to “localhost”.

Advanced network monitoring using Wireshark

Http proxy is a great method and it will be enough around 90% of the times. There are times however, when you need a deeper investigation – analyzing the entire TCP connection, analyzing non HTTP protocols, etc. The best tool for network analysis is Wireshark. Using Wireshark to monitor your iPhone’s activity is a little more complicated since the iPhone only allows setting an HTTP proxy. To overcome this we will use a nice little trick – your Mac has the ability to become a wi-fi hub with just a few clicks. This little known feature is the key to monitoring the iPhone’s activity. All we need to do set the iPhone to use the wi-fi generated by our Mac, and all of its network activity will pass through the Mac, allowing us to sniff it using WireShark!

To monitor network activity using Wireshark, follow those steps:

  1. Download, install and run Wireshark
  2. Connect you Mac to the internet via Ethernet. This is unfortunately mandatory, since you can’t turn the computer to a wi-fi hub if you are connected to the internet via wi-fi
  3. Enter System Preferences -> Sharing -> Internet sharing.
  4. Set “Share your connection from:” to Ethernet and set “To computers using:” to AirPort, and check the “Internet Sharing” checkbox. This will create a new wi-fi network with your computer’s name. Make sure to set a password for this wi-fi network.

  5. On your iPhone, enter Settings -> Wi-Fi and choose the new wi-fi network
  6. That’s it. Now all your iPhone’s network activity is routed through your Mac computer, and you can sniff it with Wireshark

I hope you’ll find this article useful, and that network monitoring will become one of the main tools in your arsenal.

5 Responses to Network sniffing on the iPhone

  1. damnit says:

    What if I don’t have a Mac? :/

  2. RP says:

    I need to Monitoring the network activity on 3G. Can you please help? let me know of any way/article to do it..

  3. John says:

    Thank you. First article that verbally explains to me why my wireshark can not see all of my iPhone activities.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: