This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Find IPhones and IPads

0

Anyone have an suggestion on how to quickly identify IPhones or IPads? I have an applaince attached to a mirrored port so it sees all the traffic, including frmo the Wifi network. Is there a filter or something to quickly show these kind of devices?

asked 22 Mar '11, 20:17

gunnahafta's gravatar image

gunnahafta
1111
accept rate: 0%


4 Answers:

2

You might want to filter on the User-Agent string, I just captured traffic from my iPhone and it gives the following User-Agent string:

User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac OS X; en-us) 
   AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5

So I guess the following filter might give you what you need:

http.user_agent contains "iPhone" or http.user_agent contains "iPad"

(I don't have an iPad yet, so I guessed the iPad part)

answered 23 Mar '11, 15:19

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

iPad User-Agent is (according to online sources):

Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10

(23 Mar '11, 19:33) wesmorgan1

1

You can try to spot those by MAC address vendor. The first 3 bytes of each 6 byte MAC address is vendor specific, and I'd assume that Apple has their devices registered to an Apple MAC (not entirely sure though, I have no iPhone/iPad to test this atm).

If you enable Name Resolution for the MAC Layer Wireshark will replace the first 3 bytes with the Vendor name taken from the file "manuf" in the Wireshark installation directory. Maybe that is enough to spot those devices.

answered 23 Mar '11, 02:37

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

0

You might also take a look at "Well known TCP and UDP ports used by Apple software products" - you might be able to catch a few by capturing Apple-specific protocol ports.

answered 23 Mar '11, 19:22

wesmorgan1's gravatar image

wesmorgan1
411101221
accept rate: 4%

0

To gunnahafta: Can you tell me how do you capture HTTP packet via your iphone?

answered 25 Mar '11, 10:28

A%20B's gravatar image

A B
1101012
accept rate: 0%

I don't think he's doing it via the iPhone itself, he captures on a mirrorport of a cabled device

(25 Mar '11, 16:26) Jasper ♦♦