Packet Capture via Remote Virtual Interfaces (macOS)

Posted on 26 Mar 2021 in Computing

The simplest way to get output from a packet capture is via tcpdump, but the popularity of Wireshark and its GUI make it a very attractive option, too. My ultimate goal was to capture network traffic from an iPhone directly over USB, since iOS doesn't come with a native packet inspector, and because my home router isn't running OpenWrt (womp, womp) for me to shell from and get more granular logs there. Thankfully, Apple has developed a method to do this via Xcode for developers. By using the rvictl utility in CLI, you can associate the USB connection with a virtual network interface, but I was running into issues that numerous Google searches weren't able to remedy.

Spoiler alert: If you're running macOS v11.2 or greater, this bug has been fixed. If you wish to avoid an upgrade, you can find a way to upgrade Xcode to at least 12.2, where the ACTUAL fix is made (see below for link to the release notes)

To check your version of macOS, run the following in terminal:

$ sw_vers
ProductName:    macOS
ProductVersion: 11.1
BuildVersion:   20C69

Since the initial release of Big Sur 11.0.1 (first release for Intel Macs - 11.0 for Silicons), these have been the following releases:

  • macOS Big Sur 11.2.3 - Latest at time of writing
  • macOS Big Sur 11.2.2
  • macOS Big Sur 11.2.1
  • macOS Big Sur 11.2 (where Xcode 12.2 is released)
  • macOS Big Sur 11.1
  • macOS Big Sur 11.0.1

As described in the article by Andy Davies (referenced below), it's possible to link the iPhone via USB as a network device using Remote Virtual Interfaces (a la rvi -> rvictl - a CLI utility from Xcode):

$ rvictl -s <Unique Device Identifier - UDID>
Starting device <Unique Device Identifier - UDID> [FAILED]

If you keep receiving the above, you're most likely running lower than v11.2, an older version of Xcode, and/or aren't running com.apple.rpmuxd (see references below and check your process list via ps or top).

How did I this get resolved? I checked for updates and got the latest build of Big Sur, of course! :) If this is affecting you and your networking tasks, do consider upgrading.

After upgrade:

$ sw_vers
ProductName:    macOS
ProductVersion: 11.2.3
BuildVersion:   20D91
Starting device <Unique Device Identifier - UDID> [SUCCEEDED] with interface rvi0

You're now free to use tcpdump, tshark, or load up Wireshark where rvi0 will show up as a network interface where you can enjoy the wonderful world of packet inspection.

References:

https://developer.apple.com/documentation/network/recording_a_packet_trace/troubleshooting_packet_traces

https://developer.apple.com/forums/thread/655329

https://andydavies.me/blog/2019/12/12/capturing-and-decrypting-https-traffic-from-ios-apps/

https://useyourloaf.com/blog/remote-packet-capture-for-ios-devices/