Using the TCPDump Adapter from MyPeek, one of our SE’s at WildPackets was able to connect to his iPhone as a remote adapter from OmniPeek, and stream packets from his iPhone directly into a real-time OmniPeek capture window.
Although this is not a recommended practice and certainly not supported by WildPackets, because it requires jailbreaking the iPhone which can void the warranty, it does provide yet another powerful example of the visibility and reach that OmniPeek can have into your network through the extensibility of OmniPeek, and the many remote adapter plug-ins available on the MyPeek website.
In this case, it was the almightly TCPDump Adapter that made this hack possible, along with the fact that all of the programs required for the TCPDump Adapter to work are already available (and free) for the iPhone. The TCPDump Adapter for OmniPeek works by using an ssh connection to a remote host (the iPhone) to run tcpdump and stream the packets back to OmniPeek. In general, this turns every linux box on your network, and the internet for that matter, into a remote probe, giving you unprecedented visibility.
So, how did he do it? The main trick here, and deterrent for most folks, is jailbreaking the iPhone. There are lots of sites already out there which provide guides and software to do this, so we will not go over that here. Beware though, many of these sites are black listed, and if allowed will download viruses and/or malware to your computer. I know a little but about this because I was thinking about hacking my own iPhone, but chickened out after doing a little research and coming across many sites that my web browser said had been blacklisted.
Having said that, a lot of people have hacked their iPhones, and at some point, when I understand enough about it, I probably will too. So let’s say you have successfully performed the jailbreak on your iPhone, or are going to do so. Once this is done, you will need to set a root password on the iPhone, configure ssh, and install tcpdump. That’s it for the iPhone, but then again, these things may be easier said then done.
On the OmniPeek side, it is very easy. Just install the TCPDump Adapter, create a capture, and in the Adapters Tab of the Capture Options Dialog, create a new entry in the Remote TCPDump Adapter group, specifying the IP address of the iPhone. Once you hit OK on this new entry, you should see the list of interfaces for the iPhone. Per our crafty SE, you should choose the en0 interface, right click on it, bringing up the Interface Properties dialog, and enable the option “Limit each packet to 1500 bytes”. This is illustrated in the screenshot below:
Next, select the en0 entry as the adapter, and hit Start Capture. Below is a screenshot showing pings being sent to the iPhone, captured by the iPhone by TCMPDump, sent back to OmniPeek, analyzed and displayed:
And there you have it, our first cool IT hack for ’09. So what’s next? I think there might be a way to capture bluetooth packets in Omnipeek. Not sure, but I am going to look into it.