How to capture network packets

Network issues in mobile applications — such as connection drops, TLS handshake failures, and DNS resolution failures — are difficult to diagnose with HTTP proxy tools alone. Packet capture lets you inspect traffic at the network layer, giving you a complete view of what is actually sent and received between the client and server.

Disclaimer: This document may contain information about third-party products. This information is for reference only. Alibaba Cloud does not make any representations or warranties, express or implied, regarding the performance or reliability of third-party products, or potential impacts of their operation.

Why packet capture

Network issues are a common source of unexpected behavior in mobile applications. Capturing packet data lets you diagnose network-layer problems such as connection drops, Transport Layer Security (TLS) handshake failures, and Domain Name System (DNS) resolution failures.

• Unlike HTTP proxy tools such as Charles or Fiddler that use a man-in-the-middle approach, Transmission Control Protocol (TCP) packet capture is non-intrusive. It listens on a network interface controller (NIC) and directly mirrors TCP messages without modifying traffic.

• Capture points vary by scenario. In a typical setup, you can capture at three points: on the client (A), on an intermediate device (B), or on the server (C), as shown in the following figure.

TCP packet capture tools

HTTP proxy tools such as Charles and Fiddler work well for HTTP-layer problems. For issues at the TCP/IP layer — such as Secure Sockets Layer (SSL) handshake failures, connection drops, and retransmissions — use a network-layer packet capture tool instead.

Three commonly used tools are:

• Wireshark — GUI-based; available for macOS and Windows

• Network Monitor — GUI-based; Windows only

• TCPDUMP — command-line; runs on most platforms including Linux servers and Android devices

Use common packet capture tools

Wireshark

• Download and install Wireshark.

  Download the installation package from the official Wireshark website. After installation, the main interface lists all available network interfaces. The interface may differ slightly between macOS and Windows versions.

• Start packet capture.

  On the Wireshark main interface, the available network interfaces are listed. Double-click the Wi-Fi: en0 interface to start capturing packets on that NIC.

• Stop packet capture and save the file.

  • Click the red stop button in the menu bar (keyboard shortcut: CMD+E) to stop the capture.

  • Click the save button (keyboard shortcut: CMD+S) to save the captured packets.

TCPDUMP

TCPDUMP is a lightweight command-line packet capture tool. Compared to Wireshark, it has a steeper learning curve, but runs on a wider range of platforms and environments — making it the practical choice for capturing packets directly on a client device or server.

Basic usage

Available parameters vary by environment. Run man tcpdump to see supported parameters for your current environment.

A common command to capture complete messages and save them to a file:

tcpdump -s 0 -w myCapture.pcap

For the full parameter reference, see the TCPDUMP man page.

Capture packets on a mobile device

At the client, packets can be captured at:

• Client egress

• Network endpoint ingress

The sections below cover how to capture packets at Point A (client egress) for iOS and Android, and at Point B (intermediate device).

iOS platform

Capturing at the egress of an iOS client requires a MacBook. The process creates a virtual NIC mapping of the iOS device on the Mac. Wireshark then uses this virtual NIC to capture the device's network traffic.

1. Get the Unique Device Identifier (UID) of the iPhone. Connect the iOS device to the Mac with a USB cable, then run the following command in the terminal:

   $ system_profiler SPUSBDataType

   

   Alternatively, open Xcode > Window > Devices and Simulators to find the UID (Identifier).

2. Create a virtual NIC mapping.

   $ rvictl -s < Your Device UUID >
   Starting device  < Your Device UUID > [SUCCEEDED] with interface rvi0

   

   Here, rvi0 is the name of the virtual NIC.

3. Start packet capture. Open Wireshark. The rvi0 interface appears in the list of local interfaces. Double-click rvi0 to open the capture interface. Capture starts automatically.

4. Stop packet capture and save the file. After reproducing the problem, click the stop button in the menu bar (keyboard shortcut: CMD+E), then save the captured packets (keyboard shortcut: CMD+S).

   

Android platform

Capturing at the egress of an Android client requires root access on the device. Use Android Debug Bridge (ADB) to run tcpdump on the device and save packets to a file.

1. Download TCPDump for Android.

2. Install TCPDUMP on the device and grant it execute permissions:

   adb push tcpdump /data/local/tcpdump
   adb shell chmod 6755 /data/local/tcpdump

3. Start TCPDUMP:

   cd /data/local
   ./tcpdump -i any -p -s 0 -w /sdcard/myCapture.pcap

   For the full parameter reference, see the TCPDUMP man page.

4. Stop the capture and retrieve the file. After reproducing the problem, press Ctrl+C to stop the capture. Then pull the file to your local machine:

   adb pull /sdcard/myCapture.pcap

Capture packets on an intermediate device

Capturing at an intermediate device (Point B) intercepts traffic between the mobile client and the network. This approach uses a Mac or PC as a wireless hotspot that the mobile device connects to, with Wireshark monitoring that connection.

TCP packet capture for a client is possible at two points:

• Client egress

• Network Access Point

Setup requirements: The capture machine must have two NICs — one to broadcast a wireless hotspot for the mobile device, and one to connect to the standard network.

1. Configure the network topology. Set up the capture machine so that one NIC broadcasts a wireless hotspot. Connect the mobile device to that hotspot over Wi-Fi. The other NIC connects the capture machine to the standard network.

2. Start packet capture. Open Wireshark, find the NIC broadcasting the wireless hotspot (NIC 1 in the diagram), and double-click it to start capturing.

3. Stop packet capture. After reproducing the problem, click the stop button in the menu bar (keyboard shortcut: CMD+E), then save the captured packets (keyboard shortcut: CMD+S).

Capture packets on the server

Some problems only manifest at the network path between the client and server, and require a server-side capture to diagnose. The following example uses TCPDUMP.

1. Install TCPDUMP.

   • On CentOS:

     yum install tcpdump

   • On Debian and Ubuntu:

     apt-get install tcpdump

     For more information, see the official TCPDUMP website.

2. Start packet capture. TCPDUMP supports many parameters — configure them for your specific scenario. For example:

   tcpdump -s 0 -w myCapture.pcap

   For the full parameter reference, see the official TCPDUMP documentation.

3. Stop packet capture. After reproducing the problem, press Ctrl+C to stop the capture and save the captured packets to a suitable location.