ios: how to capture packets on vpn/tun interface ?

Question

Created May ’21

Replies 3

Boosts 0

Views 1.5k

Participants 2

Hi,

I use rvictl, but that seems to capture only on PHYSICAL interfaces. I am using a vpn client and I want to capture packets on the virtual tun interface that directs packets to the vpn app. Is there any way to do that ? Something equivalent of tcpdump -i utun2 on macos for example

Rgds,
Gopa.

Boost

Answer 1

Systems Engineer OP

Apple

May ’21

Is there any way to do that ? Something equivalent of tcpdump -i utun2 on macos for example

The short answer is no. However, there is some extra details you can get while taking a packet capture on iOS about the interface metadata. For the details on this, check out this article here.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

gopace OP

May ’21

@matt Thx for the reply. I am aware of the metadata that can be seen in wireshark .. The ONLY INTERFACE in all of the metadata in wireshark is interface en0 (on my ipad), occassionaly there are some broadcasts and multicasts on some "en2" interface which I dont know what it is, but there is no metadata that points to any "tunnel" interface - so THAT was the question - it looks like rvictl captures everything on "physical" interfaces (like en0) only ??

0

Answer 3

Systems Engineer OP

Apple

May ’21

Okay, another option would be to look at what physical interface is active during your capture. If you are able to limit the device to one interface and that interface aligns with a route that you are claiming for packet tunnel, does this give you any more insight in your metadata tcpdump if you run a capture for rvi0? If this does not then I would open an enhancement request for such a mechanism to run a packet trace on the virtual interface for a packet tunnel.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0