iOS Packet Capture

Complete Guide to Packet Capture on iPhone: Stable and Comprehensive Tutorial

This article details the complete process of packet capture on iPhone, including using Charles and Proxyman for proxy-based capture, and SniffMaster for low-level HTTPS capture. It also explains how to filter app traffic, handle incomplete data, and choose the appropriate capture method in different scenarios, helping developers establish stable and executable iPhone packet capture methods.

When capturing packets on an iPhone for the first time, it’s common to encounter situations where the tool is open, the certificate is installed, the app is making network requests, but no data appears in the capture interface.

This issue is not rare and can have multiple causes. Below, we’ll walk through an operational process step by step to set up the capture environment and explain what results to expect at each stage.

First, Verify the Capture Environment with a Browser

Before directly capturing app traffic on an iPhone, you can first verify the environment using a browser.

Tools required:

  • Mac or Windows computer
  • Charles, SniffMaster, or Proxyman

Configure the Proxy

Start Charles or SniffMaster on your computer, then proceed as follows:

  1. Check the proxy port (e.g., 8888)
  2. Confirm the computer’s IP address
  3. Connect the iPhone to the same Wi-Fi network
  4. Open iPhone Settings → Wi-Fi
  5. Tap on the current network
  6. Under HTTP Proxy, select “Manual”
  7. Enter the IP address and port

Save and return to the home screen.
Port

Install the HTTPS Certificate

On the iPhone:

  1. Use Safari to open the certificate download URL
  2. Download the profile
  3. Install the certificate
  4. Enable trust in “Certificate Trust Settings”

Certificate

Verify the Results

Open Safari and visit an HTTPS website.

Observe Charles or SniffMaster:

  • Request records should appear
  • You can view response content

This indicates that the proxy and certificate are working.

Start Capturing App Requests

In the same environment, open the target app.

Trigger an action, such as:

  • Logging in
  • Fetching data

Then observe the capture tool.

Two Possible Scenarios

Scenario 1: Requests Are Visible

Explanation:

  • The app uses the system proxy
  • You can directly analyze the requests

At this point, you can view:

  • Request parameters
  • Headers
  • Response data

Scenario 2: No Requests Appear

This indicates that the app does not use the system proxy.

In this case, switch to a different capture method.

Switch to Direct Device-Level Packet Capture

When proxy-based capture fails to capture data, you can use a low-level device capture tool, such as SniffMaster.

This method does not rely on Wi-Fi proxy.

Using SniffMaster for Capture

Steps:

  1. Connect the iPhone to the computer via USB
  2. Keep the device unlocked
  3. Tap “Trust This Computer” on the iPhone
  4. Launch SniffMaster
  5. Select the iPhone from the device list
  6. Install the profile as prompted
  7. Enter HTTPS Brute Force Capture Mode
  8. Click Start

Then trigger requests on the iPhone.
Brute Force Capture

Observe the Results

In the capture interface, you can see:

  • Request domains
  • Request paths
  • Header information

If app requests exist, data will definitely appear here.

Capture Traffic for a Specific App Only

Device-level capture includes system traffic, such as:

  • DNS
  • Apple services

To reduce interference, you can filter by app.

Steps:

  1. Click Select App
  2. Check the target application
  3. Trigger requests again

The capture list will only display data from that app.
Select App

When HTTPS Data Is Incomplete

If in the capture results:

  • URLs are visible
  • But the body is empty

Explanation:

  • HTTPS has been captured
  • But the app is not signed with a development certificate

Handling method:

  1. Obtain the app’s IPA file
  2. Re-sign it with a development certificate
  3. Reinstall the app
  4. Capture packets again

After completion, you can see complete requests and responses.

How to Modify Requests

If during debugging you need to:

  • Modify request parameters
  • Simulate interface returns

Use a proxy-based capture tool.

For example, in Charles or Proxyman:

  • Enable Breakpoints
  • Modify request content
  • Then send the request

About Interceptors

SniffMaster also supports interceptors, but note that interceptor functionality is only available in proxy mode

Device-level capture mode does not modify data.
Interceptor

Analyze Network Connection Issues

If the issue is not about data content but connection problems, such as:

  • Request timeouts
  • Occasional interface failures

You can use stream capture and export to Wireshark.
Stream Capture

In Wireshark, you can view:

  • TCP connection establishment process
  • Data retransmissions
  • Reasons for connection disconnections

When capturing packets on an iPhone, follow this approach:

  1. Use Safari to verify the proxy and certificate
  2. Attempt proxy-based capture
  3. If capture fails, switch to low-level device capture
  4. If data is incomplete, handle signature issues
  5. If you need to modify requests, use proxy mode
Previous Article
How to Find Target Requests When iOS Packet Capture Has Too Much Traffic?
Next Article
iOS Packet Capture Without Jailbreak: Two Implementation Methods via Proxy and Direct USB Connection

Related Articles

packet capture

Engineering Troubleshooting and Tool Combination for App HTTPS Packet Capture

This article targets developers and operations, systematically introducing the engineering process of app HTTPS packet capture: TCP→TLS→HTTP three-layer troubleshooting, responsibilities of proxy and low-level packet capture tools, common challenges like pinning/HTTP3, and explains how to use Sniffmaster to filter by App/domain and export pcap, perform interception and script modification to complete packet capture analysis (used compliantly).

iOS Packet Capture

HTTPS Packet Capture Process: Proxy Capture, Direct Device Connection via Cable, and TCP Data Analysis

This article details HTTPS packet capture: proxy, direct cable, and TCP analysis, explaining steps to get HTTPS data in different scenarios for clear methods.

iOS Packet Capture

Charles and Fiddler: Why Can't I Capture Packets Even After Installing Certificates?

Why can't I capture packets even after installing certificates? Explains proxy routing, certificate trust, and packet capture levels, offering solutions for different scenarios with Charles, Proxyman, and SniffMaster.