Anyone have an suggestion on how to quickly identify IPhones or IPads? I have an applaince attached to a mirrored port so it sees all the traffic, including frmo the Wifi network. Is there a filter or something to quickly show these kind of devices? asked 22 Mar '11, 20:17  gunnahafta |
4 Answers:
You might want to filter on the User-Agent string, I just captured traffic from my iPhone and it gives the following User-Agent string: So I guess the following filter might give you what you need: (I don't have an iPad yet, so I guessed the iPad part) answered 23 Mar '11, 15:19  SYN-bit ♦♦ |
You can try to spot those by MAC address vendor. The first 3 bytes of each 6 byte MAC address is vendor specific, and I'd assume that Apple has their devices registered to an Apple MAC (not entirely sure though, I have no iPhone/iPad to test this atm). If you enable Name Resolution for the MAC Layer Wireshark will replace the first 3 bytes with the Vendor name taken from the file "manuf" in the Wireshark installation directory. Maybe that is enough to spot those devices. answered 23 Mar '11, 02:37  Jasper ♦♦ |
You might also take a look at "Well known TCP and UDP ports used by Apple software products" - you might be able to catch a few by capturing Apple-specific protocol ports. answered 23 Mar '11, 19:22  wesmorgan1 |
To gunnahafta: Can you tell me how do you capture HTTP packet via your iphone? answered 25 Mar '11, 10:28  A B I don't think he's doing it via the iPhone itself, he captures on a mirrorport of a cabled device (25 Mar '11, 16:26) Jasper ♦♦ |
iPad User-Agent is (according to online sources):
Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10