added howto

README.md

@@ -1,4 +1,57 @@
-# iOS_wireshark
+# Capturing packets from iOS 
 
-Capturing TCP/IP packets from iOS devices
+Using a Mac with Xcode for non jail broken devices
-
+
+### Prerequisites
+#### Capturing
+iDevice, Mac with Xcode and tcpdump installed.
+#### Analysing
+[Wireshark](https://www.wireshark.org/) (Multiplatform)
+
+### Get UDID
+
+* connect iDevice to a MAC
+* get your iDevice UDID in Terminal type:
+
+    
+    system_profiler SPUSBDataType | sed -n -e '/iPad/,/Serial/p' -e '/iPhone/,/Serial/p' | grep "Serial Number:" | awk -F ": " '{print $2}'
+      
+[src](https://gist.github.com/emilstahl/00cc0c87bff5674e26ed) ), or if you have Xcode installed [src](https://stackoverflow.com/questions/17237354/how-can-i-find-the-device-uuids-of-all-connected-devices-through-a-command-line):
+      
+    instruments -s devices
+
+
+example UDID string would be: 1e3b5cbfb5614ab31731a7afeade0e6a1f18d021
+
+### Create Virtual Network Interface
+
+Use the found UDID to create a new virtual network interface based on you iDevice:
+
+    rvictl -s 1e3b5cbfb5614ab31731a7afeade0e6a1f18d021
+
+To see the new interface:
+
+    ifconfig -l
+    
+It will be listed as 'rvi0'
+
+### Record Packets
+
+Record/sniff/dump the packets send to and from your iDevice with tcpdump (...) into file .output.pcap
+
+    sudo tcpdump -i rvi0 -w ./output.pcap
+
+Stop the capturing with CTRL+C
+
+### Clean up
+Stop and remove the virtual interface with:
+
+    rvictl -x 1e3b5cbfb5614ab31731a7afeade0e6a1f18d021
+      
+### Wireshark
+
+Open the output.pcap in [Wireshark](https://www.wireshark.org/) on the operating system of choice for your listening pleasure.
+
+### References
+
+https://osqa-ask.wireshark.org/questions/17559/packet-capturing-application-for-the-iphone