Taken directly from: https://developer.apple.com/library/mac/qa/qa1176/_index.html#//apple_ref/doc/uid/DTS10001707-CH1-SECRVI
iOS 5 added a remote virtual interface (RVI) facility that lets you use OS X packet trace programs to capture traces from an iOS device. The basic strategy is:
- Connect your iOS device to your Mac via USB.
- Set up an RVI for that device. This creates a virtual network interface on your Mac that represents the iOS device's networking stack.
- Run your OS X packet trace program, and point it at the RVI created in the previous step.
- To set up an RVI, you should run the rvictl tool as shown below.
$ # First get the current list of interfaces.
$ ifconfig -l
lo0 gif0 stf0 en0 en1 p2p0 fw0 ppp0 utun0
$ # Then run the tool with the UDID of the device.
$ rvictl -s 74bd53c647548234ddcef0ee3abee616005051ed
Starting device 74bd53c647548234ddcef0ee3abee616005051ed [SUCCEEDED]
$ # Get the list of interfaces again, and you can see the new virtual
$ # network interface, rvi0, added by the previous command.
$ ifconfig -l
lo0 gif0 stf0 en0 en1 p2p0 fw0 ppp0 utun0 rvi0
Now that you know the name of the RVI, you can point your packet trace tool at it. For example, here's how you might run tcpdump to take a packet trace from the RVI and write it to the file trace.pcap.
$ sudo tcpdump -i rvi0 -w trace.pcap
tcpdump: WARNING: rvi0: That device doesn't support promiscuous mode
(BIOCPROMISC: Operation not supported on socket)
tcpdump: WARNING: rvi0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rvi0, link-type RAW (Raw IP), capture size 65535 bytes
When you're done you can remove the RVI with the following command.
$ rvictl -x 74bd53c647548234ddcef0ee3abee616005051ed
Stopping device 74bd53c647548234ddcef0ee3abee616005051ed [SUCCEEDED]