I was trying to figure where the iOS updates were served from in the form of a hostname and wanted to do a packet capture on my iPhone, I was also interested to see if the Mac Mini caching servers was serving the requests or the internet, however being an iPhone there is an issue this is outlined below:
Official Packet Capture on iOS statement
Apple : iOS doesn’t let you record a packet trace directly. However, you can use your Mac to record a packet trace on an attached iOS device using the Remote Virtual Interface (RVI) mechanism. To get started, first connect your iOS device to your Mac via USB. Next run the rvictl command in Terminal.
iOS packet trace : Apple hardware available
This means to complete a packet capture I need a MacBook or Apple hardware then with my iPhone connected to the USB-C port I need to use this command with the Developer tools installed:
rvictl -s <UDID>
I then need to get the UDID from the iPhone, unfortunately, it does not look like this can be done from the phone so you have to download iTunes, once iTunes is installed, you need to connect your iPhone to iTunes and when it’s detected by iTunes locate the serial number of your iPhone and then right click on that value and choose copy UDID as below:
Note : If you have a older versions of iTunes you will need to click the Serial Number to reveal the UDID and then right click to copy it
You don’t need to copy that UDID and issued the command outlined earlier Into your terminal window, which is example is the following:
$ rvictl -s b0e8fe79cd17d4993bd547418bfbdba70a4af2c5
Then when you issue this command you will see this is has connected as below:
Starting device b0e8fe79cd17d4993bd547418bfbdba70a4af2c5 [SUCCEEDED] with interface rvi0
Then from here you can start the packet capture with this command:
sudo tcpdump -i rvi0 -w trace.pcap
You then need to replicate you actions, in this case checking for iOS updates and then when finished press Ctrl+C to stop the trace, you will then need to analyse that file in Wireshark.
Annoyingly, this process cannot be completed on windows you actually have to have some Apple hardware in the form of a laptop or desktop device.
Diagnostic should not require Apple hardware
Apple hardware to diagnose problem with Apple devices, however, like with the repair ability and user replaceable components, Apple like to keep the gates locked when it comes to diagnostics.
Personally, I have found many times you can do a better troubleshooting session yourself rather than going to a Genius Bar appointments, if you have ever attended these, they can be quite disappointing and sometimes the so-called geniuses have the same IQ as a crayon 🖍️
I also do not like the excessive price of Apple hardware just because it’s got an Apple logo on it and the fact that you don’t get the best value for your money and if you’re only going to do Apple tasks, they’re lovely devices but if you wish to do a little bit more interesting actions with your laptop you will definitely require a Windows.
iOS packet trace : ❌ None Apple Hardware
This is easier as it does not require a Apple desktop or laptop and can be done from the iPhone, you also for this method do not need your UDID and you are doing it on your device with an application from the App Store.
HTTP Catcher
This is the application that will allow you to complete a network trace right off your iPhone by utilising the VPN configuration profile options, you can get it from this link below:
https://apps.apple.com/us/app/http-catcher/id1445874902
This is the application from the web store preview, ignore the bad reviews, clearly people do not know how to use this application as it works very well if you install it correctly, that will be covered in this blog.
First, you need to download this application to your iPhone then we can get configuring, I have the "pro" version as it offers some helpful features that I use, however this will also work on the free version as well.
Download the app from the App Store by using the link or searching for "http catcher"
Note: if you have a managed device and that MDM blocks profile installs you will need to complete this action on a device that does not have this policy assigned.
That means you can now start capturing traffic that is coming from your iPhone however remember anything secured with HTTPS which is usually everything you will only get connect values as the VPN cannot see inside the secure tunnel.
You will then be asked if you would like the configuration installed:
That will then open Safari and you should be asked if you would like to download the profile which is the certificate to trust:
When you allow you will be told that it has been downloaded and you need Settings to install it:
Open you settings where you will notice you have a new option named "Profile Downloaded" tap this option:
That will give you the profile settings which as we can see from below includes a certificate we need to install this, you will need to confirm you PIN once again to install this:
Then we need the About option:
Then right at the bottom is the options for trusted certificates tap this option:
You will then see this new certificate listed but not enabled, tap the slider:
This will then ask you if you should like to install a root certificate:
You will then be given the the warning about what this will do and yes you need to trust it with install:
That should be confirmed with the slide being green on that certificate as below:
How return to the application enable the VPN once again and now you can see the destination and the data for that stream with the URL and all the images:
Mission Control : Back to the mission
You will then see iOS 17.7 and think, yuck, where is iOS 18 - well toward the bottom on the iOS 17.7 update you will see an option for iOS 18 tap on that:
This will then inform you that the update has been requested as below, leave it here for a moment:
We need the update to start downloading as that means it will have communicated to the server and started the application/octet-stream (which is the http content code for a download)
Once you have got to this stage you can navigate back to http watcher and stop the VPN and the traffic capture, the VPN will have done it job, when you go back to the application you will see all the traffic as below:
If you notice Get 6 which is the telltale binary/octet-stream which means this is the download request and the source of that request (being the red box) is not from the Internet but from the Mac Mini setup as a caching server.
This means for this example, the update did not come from the Internet but the update came from the caching server internally onsite, furthermore this is how the updates work:
iPhone > Internet > Apple CDN > Stream Update
Caching Server Updates (with a caching server)
In this example the iPhones do not talk the internet but only the caching server onsite meaning it will save your bandwidth and potential outages to the networks due to every iPhone trying to get the update, there is no link from the iPhone (hence the internet is on the caching server line below)
Mac Caching Server > Internet > Apple CDN > Steam Update to local cache
MDM Remote Options : Deliver and Download are not the same
How can I update this settings then