Using Wireshark to Capture iOS TCP/UDP Traffic via a Virtual Network Interface

During mobile development, developers often need to intercept network traffic between an iPhone and IoT hardware. After introducing Charles for HTTP/HTTPS debugging, this article shows how to use Wireshark together with a virtual network interface to capture raw TCP/UDP packets.

1. Install Wireshark – Wireshark is a free, open‑source packet analyzer that can be downloaded from the official website. After installation, launch the application to see the list of local network interfaces.

Because the traffic between the iPhone and the IoT device does not pass through the PC’s Ethernet or Wi‑Fi adapters, a virtual interface must be created before capturing.

2. Create a virtual network interface

Step 1 – Get the iPhone UDID

$ system_profiler SPUSBDataType | grep "Serial Number:.*" | sed s#".*Serial Number: "##

The command returns a string such as decb66caf7012a7799c2c3edxxxxxxxx7f5a715e. The UDID can also be obtained from Xcode → Window → Devices and Simulators.

Step 2 – Create the virtual interface $ ifconfig -l Shows the existing interfaces (e.g., lo0 gif0 stf0 XHC20 en0 en1 …).

$ rvictl -s decb66caf7012a7799c2c3edxxxxxxxx7f5a715e

The command creates rvi0, a virtual interface that mirrors the iPhone’s traffic. $ ifconfig -l Now the list includes rvi0.

Step 3 – Start the virtual interface in Wireshark

Launch Wireshark again with elevated privileges so that rvi0 appears in the interface list:

$ sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark

3. Capture TCP/UDP traffic

With rvi0 selected, Wireshark displays all packets exchanged between the iPhone and the IoT device. The main UI consists of a toolbar, a packet list, a packet detail pane, and a byte‑view pane.

The toolbar includes start/stop capture buttons and a display‑filter entry. The packet list shows columns such as No., Time, Source, Destination, Protocol, Length, and Info, which can be customized via the View menu.

4. Use capture and display filters

Capture filters limit what Wireshark records. Examples:

// Capture only HTTP/HTTPS traffic
port 80 or port 443

// Capture traffic to a specific host
host 192.168.10.1

Display filters hide irrelevant packets after capture. Examples:

// Show only TCP or UDP packets
tcp || udp

// Show only HTTP/HTTPS packets
tcp.port == 80 || tcp.port == 443

// Show packets from a specific IP
ip.addr == 192.168.10.1

// Show packets for a specific port
tcp.port == 52360 || udp.port == 36025

For more filter examples, refer to the official Wireshark documentation.

By following these steps, developers can reliably capture and analyze low‑level network traffic between iOS devices and peripheral hardware, which is essential for debugging IoT communication protocols.