I'm testing an iOS application and I just want to see when HTTPS traffic is sent. I'm not interested in the contents of the traffic. How can I configure Wireshark to do this?
This is just to verify that an analytics package is working. I don't have any control over the servers that my app is talking to.
Thanks!
Edit #1: My current Wireshark configuration can see traffic to http://www.duckduckgo.com but not https://www.duckduckgo.com
An alternative is using your Mac as a Wi-Fi access point and sniffing the traffic with TCPDump. Here are the steps:
Connect your Mac to your router using an Ethernet cable (the Wi-Fi card will be busy working as access point). Or skip this step if you only want to sniff traffic from the app to your own computer.
In the Wi-Fi icon of your toolbar, click Create Network. Give it a random name, select security, and set a password.
In System Preferences > Sharing set To computers using: Wi-Fi. In Wi-Fi Options... choose the network you created before. In Share your connection from:, choose the interface you are getting Internet from, usually Ethernet.
Enable Internet Sharing, and connect to this new Wi-Fi network from your iPhone.
Disconnect 3G on your iPhone from Settings > General > Network and check your Internet with Safari. Sometimes it takes a few seconds.
In your Mac type sudo tcpdump -s 0 -A -i en1 port 443 > log.txt. Use ifconfig if you have a network interface other than en1. The log generated can also be imported by WireShark (which is a GUI version of tcpdump).
Now all Internet traffic from your iPhone will be recorded.
TCPDump is included with all versions of OS X. For other options, see Technical Q&A QA1176 Getting a Packet Trace.
If you want to decrypt the SSL traffic in order to listen in on it, have a look at the Wireshark Wiki. The explanation is a bit longer, but enables you to decrypt SSL traffic.
You also might want to listen on port 443 instead of 80.. :-)
Set following as a filter after you've started capturing the appropriate network interface:
tcp.port == 443 || tcp.port == 80
This will ensure display of data for only http & https connections that you can further inspect.
Yes. Wireshark can watch any and all ethernet traffic made available to it. The issue to solve is whether the machine running Wireshark will see all of the ethernet traffic you are interested in detecting the presence of.
Related
I‘m trying to monitor traffics under wifi, And I use both a mac and a lubuntu installed Wireshark, and after I enable monitor mode start listening, the amount of lubuntu packs is far less than Mac (10x less)
Does this happen since the CPU or net card things(other hardware things?) or just because of different Wireshark?
Is there any other way to identify this cause? (maybe with some other tool or commands)
added:
maybe related to the channel of wifi, but I config wifi to channel 7 and set the lubuntu monitor channel with
iwconfig wlanxx channel 7
but still, I can't get sniffer traffic under lubuntu but full of them under mac
seems lubuntu only could get the broadcast pack (like arp) and 802.11 Protocol Pack
I'm guessing this due to the bad configuration or implementation of wireless net card
There is probably just more activity on the Mac. I don't know your precise configuration, but if you have a browser open on the Mac and nothing on the lubuntu, then there will be a difference in the amount of network traffic.
There is not really a reason for network traffic to change significantly because of hardware. Configuration can play a role though. If ipv4 and ipv6 are enabled, address resolution packets will be double as if only one is. If Arp cache is set to expire fast, there will also be more Arp traffic.
To identify the cause, look at what wireshark is telling you. What packets are there on both machines ? what packets are unique to the Mac ? Have a look at protocols, destination IPs and port numbers, they are the main clue to tell you what is happening.
It seems due to router's setting( wifi channel and mode(802.11xx))
using channel hopping Tech, For capturing as much as possible packages while hopping through multiple channels
And maybe trying some advanced monitor wireless net card for various mode(802.11xx) and 2.5G/5G supporting
I would like to use a USB internet Key Huawei E3531i for send and receive SMS.
I'm working on it, I can send but I have some issue receiving but this is not the topic of this thread.
When I plug the USB stick the Raspberry (connected to wireless lan) doesn't have access to internet any more. Most probably because somehow the internet key is considered as preferred connection but I don't have idea how to change this.
The best for me would be that the USB stick is not used at all for internet connection, even the wireless lan is not available.
How to configure this?
Thanks
Andrea
SOLVED!
Editing the file: /etc/dhcpcd.conf
Adding the metric for each interface. In this way I can drive the priority of routing for internet connection:
interface wlan0
metric 200
interface eth1
metric 300
The smaller number has higher priority.
Now I'm able to reach the internet key with his static ip address but also connecting to internet because the default interface is the wifi.
Bye
Andrea
I'd like to know that a specific device (phone/tablet) has joined my WiFi network created by ESP8266 microcontroller. It shouldn't require any installed apps on that phone/tablet, if possible, to simplify the whole setup.
So I think I need to somehow identify connected clients, and MAC is not an option because it is subject to change randomly on, say, Apple devices.
Maybe it's possible to collect host names of connected clients?
I know that Windows and Ubuntu clients send their host names when getting IP from DHCP server (see here). Also, it's possible to find such information on, say, home Wi-Fi router admin web page (i.e. host names, their IPs and MACs).
I'm running DHCP server on ESP8266, but I haven't found any API that allows to get peer host name (i.e. reverse DNS). Does ESP8266 support getting such information?
I'm using Charles Proxy and Wireshark to monitor http(s) traffic from various iOS apps I'm using on my iPhone. These apps require me to set the HTTP Proxy under the iOS Wifi settings (let's call these the Proxy Settings).
My business needs to see ALL URL's that are being called from my phone. From all apps. All URL's, not some of them.
Now Charles and Wireshark both work fine and I can see a ton of traffic coming from my phone.
However, I can't help but wonder whether I might be missing some HTTP calls. Maybe calls that don't use the Cocoa Core Foundation libraries as the basis for their networking.
For instance, I could write my own HTTP library out of TCP/IP and these would bypass the Proxy Settings.
So my question is: what is the likelihood that some apps are using custom-rolled HTTP libraries and side-stepping my Proxy Settings. Or worse, they're using raw TCP/IP to communicate with a server. I know it's possible, but do any APIs work this way? Does anyone do it?
I found the answer: Use mitmproxy in transparent mode. proxy is not used. harder to setup because it needs work on the router, but it reliably captures every packet on port 80 and 443 regardless of proxy settings.
Assuming that you are able to keep your device tethered, then you may be able to use the pcap service to monitor all traffic. According to the following paper (2014) the pcap service is running on every iOS device:
"Identifying back doors, attack points, and surveillance mechanisms in iOS devices"
You should be able to connect to it via usbmuxd. I'm not sure whether there is a pre-rolled client for the pcap service. There is a list of services supported by libimobiledevice here. Pcap is not on that list.
Alternatively, you can use wireshark to capture all traffic on your wifi network.
I am trying to detect Apple devices connected to a wireless network. This is relatively simple using Bonjour, however I am also trying to detect what kind of device it is. Like, a MacBook Air, a MacBook Pro, a MacPro, an iPhone, iPod, or an iPad.
I have found that Bonjour requests to MacBook's and MacPros include an "ADDITIONAL SECTION" response to the query which includes the model:
;; ADDITIONAL SECTION:
Q9550._device-info._tcp.local. 10 IN TXT "model=MacPro3,1"
and
;; ADDITIONAL SECTION:
Air._device-info._tcp.local. 10 IN TXT "model=MacBookAir4,2"
From testing an iPhone (3GS and 4), an iPod touch, and an iPad2, all of the iDevices only respond with their name:
;; ANSWER SECTION:
111.1.168.192.in-addr.arpa. 10 IN PTR gmPad2.local.
Clearly, the name may not reflect the device. So, I would not like to try to extrapolate the type of device from the name. Does anyone know any other ways to detect iDevice types?
Edit: just to be clear, the command I am using is: dig #224.0.0.251 -p5353 -x 192.168.1.111 ... substituting the IP address of the Apple device
Use port 62078
The most reliable indicator I have seen is whether you can connect to IP port 62078.
Port 62078 is used for the "iphone-sync" service, and I don't think MacBooks use it. This port always appears to be open for the iPhones and iPads on our (very small) network.
Possibly (but not probably) there are messages you can send to the port to sniff out more details...
I think the official xml list of port assignements is here, although it wasn't working for me just now:
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
MAC address
In theory the MAC addresses might help - but probably not much use unless you can find somewhere that maintains a reliable list of ranges (e.g. a network security firm, or hardware provider). MAC addresses do depend on the actual chips used (or a flashed MAC). The database is at the organisation level (although organisations sometimes choose to use specific ranges for specific devices).
http://standards.ieee.org/develop/regauth/oui/public.html allows you to download the database of "Organizationally Unique Identifiers", or you can look up "Apple", or the first three bytes of a MAC address e.g. 00264A.
Anecdotally, the MAC lookup doesn't work... First three digits of my iPad MAC are 28-68-BA and that comes up with nothing.
User agent
Probably not useful, but if you can watch the network traffic or have an http proxy, then the user-agent string could help (see http://developer.apple.com/library/IOS/documentation/AppleApplications/Reference/SafariWebContent/OptimizingforSafarioniPhone/OptimizingforSafarioniPhone.html#//apple_ref/doc/uid/TP40006517-SW3).
Edit (added):
Apple’s Bonjour protocol relies on Multicast DNS (mDNS) operating at UDP port 5353 and sends to these reserved group addresses: IPv4 Group Address - 224.0.0.251, IPv6 Group Address - FF02::FB - reference.
This would help get push notification when Apple devices connect to a local network (link-local) by listening for multicast messages on 5353 UDP. Perhaps sniff the packet and see if it has any extra information in it :)
Although I presume that Bonjour API also allows for seeing this...
You can also use the airport utility to do this manually :
1) open AirportUtility
2) Go to "Wireless Clients" (hover mouse by the arrow and click it)
3) Go to DHCP Clients, and you will see iPad,iPhone, computer name, etc.... as the Client ID column.