iOS Packet Capture

HTTPS Packet Capture Process: Proxy Capture, Direct Device Connection via Cable, and TCP Data Analysis

This article details HTTPS packet capture: proxy, direct cable, and TCP analysis, explaining steps to get HTTPS data in different scenarios for clear methods.

In interface debugging, you may encounter the following issue:

  • The login interface in the app returns an exception
  • The server logs show no obvious errors
  • The client logs are incomplete, making it difficult to identify the problem

In such cases, one approach is to capture HTTPS requests to inspect the data.

However, another problem often arises:

  1. HTTPS from browsers can be captured normally
  2. HTTPS requests from the app fail directly

The issue lies in whether the packet capture direction is correct.

1. First, Use Proxy Capture to Verify the HTTPS Environment

The first step is to use a proxy capture tool, such as:

  • Charles
  • Proxyman
  • SniffMaster

The goal is to confirm whether HTTPS can be decrypted.

Set Up the Proxy Environment

Steps:

  1. Start SniffMaster
  2. Check the listening port, e.g., 8888
  3. Connect the iPhone and computer to the same Wi-Fi network
  4. Configure the proxy address and port in the iPhone’s Wi-Fi settings

After saving, return to the home screen.
Port

Install the HTTPS Certificate

On the iPhone, perform the following steps:

  1. Use Safari to open the certificate address provided by the proxy tool
  2. Download the profile file
  3. Install the certificate
  4. Enable certificate trust in the system settings

Once completed, the proxy tool can decrypt HTTPS.
Install Certificate

Verify Successful HTTPS Capture

Open Safari and visit an HTTPS website.

If SniffMaster displays:

  • Request URL
  • Headers
  • Response content

It indicates that the HTTPS capture environment is established.
Proxy Capture

2. Capture App HTTPS Requests

In the same proxy environment, open the target app.

Trigger login or data loading operations.

Observe SniffMaster:

  • If request records appear → you can view the complete HTTPS data
  • If no requests are recorded → further troubleshooting is needed

3. Common Symptoms of HTTPS Capture Failure

In this case, the following occurred:

  • Safari requests could be captured
  • App requests had no records at all

This indicates:

  • The proxy is functioning normally
  • The app’s network requests are not using the system proxy

4. Switch HTTPS Capture Modes

When the proxy cannot capture HTTPS requests, switch to a different capture method.

Here, use SniffMaster’s HTTPS brute-force capture.

This method does not rely on proxy certificates.

Use SniffMaster to Capture HTTPS

Steps:

  1. Connect the iPhone to the computer via USB
  2. Keep the device unlocked
  3. Tap “Trust This Computer” on the phone
  4. Start SniffMaster
  5. Select the iPhone from the device list
  6. Follow prompts to install iOS drivers
  7. Install the profile file
  8. Enter HTTPS Brute-Force Capture Mode
  9. Click Start

Then trigger app requests on the phone.
Enter Brute-Force Capture

Observe Capture Results

In SniffMaster, you can see:

  • Request domain
  • Request path
  • Request headers
  • Response data

Even if the app does not use the proxy, HTTPS requests are still visible.
Brute-Force Capture

5. When HTTPS Data Is Incomplete

During capture, you might encounter:

  • URL visible
  • Headers visible
  • Request body empty

This indicates:

  • HTTPS has been captured
  • But the app is not signed with a development certificate

Solution:

  1. Obtain the app’s IPA file
  2. Re-sign it using an iOS development certificate
  3. Reinstall the app
  4. Capture again

After completion, the request body and response body will display normally.

6. Aspects of HTTPS Capture Unrelated to Ports

During capture, you may observe:

api.example.com:443
api.example.com:8443

Whether it’s port 443 or a custom port:

  • As long as the TLS handshake succeeds
  • The capture tool can parse HTTPS

Ports do not affect decryption capability.

7. Limitations of Modifying HTTPS Requests

If you need to modify request parameters, such as:

  • Rewriting interface data
  • Simulating different return results

You must use a proxy capture tool.

In Charles or Proxyman, you can:

  • Use Rewrite
  • Use Breakpoints

SniffMaster also supports interceptors, but only available in HTTPS proxy mode.

Device-level capture modes do not modify data.
Interceptor

8. Analyze HTTPS Issues with TCP Layer Analysis

If HTTPS requests experience:

  • Timeouts
  • Connection drops

You can export the data to Wireshark.

In Wireshark, you can view:

  • TCP connection establishment process
  • Data retransmissions
  • Reasons for connection closure

This layer does not involve certificate issues.

In practical debugging, follow this sequence:

  1. Use proxy capture to verify HTTPS
  2. If the proxy cannot capture app requests, switch to device-level capture
  3. If data is incomplete, handle signature issues
  4. If connection issues are involved, analyze TCP data

Reference link: https://www.sniffmaster.net/tutorial/zh/1/1.html

Previous Article
Charles and Fiddler: Why Can't I Capture Packets Even After Installing Certificates?
Next Article
How to Find Target Requests When iOS Packet Capture Has Too Much Traffic?

Related Articles

packet capture

Engineering Troubleshooting and Tool Combination for App HTTPS Packet Capture

This article targets developers and operations, systematically introducing the engineering process of app HTTPS packet capture: TCP→TLS→HTTP three-layer troubleshooting, responsibilities of proxy and low-level packet capture tools, common challenges like pinning/HTTP3, and explains how to use Sniffmaster to filter by App/domain and export pcap, perform interception and script modification to complete packet capture analysis (used compliantly).

iOS Packet Capture

Charles and Fiddler: Why Can't I Capture Packets Even After Installing Certificates?

Why can't I capture packets even after installing certificates? Explains proxy routing, certificate trust, and packet capture levels, offering solutions for different scenarios with Charles, Proxyman, and SniffMaster.

iOS Packet Capture

How to Find Target Requests When iOS Packet Capture Has Too Much Traffic?

When packet capture has excessive traffic, making it hard to locate requests, this debugging guide explains how to use Charles, Proxyman, and SniffMaster for data filtering, including clearing records, filtering by domain, keyword screening, and precise filtering by app, helping developers quickly find target requests in complex network traffic.