How to sniff your iPhone's outbound traffic.

In the wake of the Path address-book uploading fiasco, I wanted to see what traffic *my* iPhone was sending out. A chatty iPhone app can also be a huge battery drain.

This tutorial assumes that your iPhone is using WiFi to connect to the same network your Mac is connected to. The first tool you will need is the Python-based Mitmproxy (“Man-In-The-Middle”) which is available here.  You will also need Urwid, a console user interface library for Python. Download the current, stable binary versions of both of these programs (0.6 and 1.01 at the time of this writing). Then simply un-tar them to folders on your desktop.

Open a command prompt and change directory into the urwid-1.0.1 directory. Run the install script with the following invocation:

$ sudo python install
running install
running bdist_egg
running egg_info
creating urwid.egg-info
writing urwid.egg-info/PKG-INFO

Note that some of the echoed installation lines are not shown here. Exit from the urwid directory, and change directory into the mitmproxy-0.6.3 directory. From there, run the installation script:

$ sudo python install
running install
running build
running build_py
creating build
creating build

That’s it! You are now ready to start sniffing your iPhone! Run an “ifconfig” command at the command prompt to obtain the IP address of your Mac. On my Mac, the IP address is on interface en0:

ether 50:e5:49:5e:3b:5c
inet6 fe80::52e5:49ff:fe5e:3b5c%en0 prefixlen 64 scopeid 0x4
inet netmask 0xffffff00 broadcast
media: autoselect (1000baseT <full-duplex>)
status: active

While still in the mitmproxy directory, start mitmproxy by typing “mitmproxy” at the command line. A blank python window will pop-up, ready to receive input.

After that, grab your iPhone and enable WiFi. After it starts running, click the right arrow next to your SSID to access its properties:

Scroll down to the HTTP Proxy section, and enter your desktop’s IP address and port 8080. Here you see my Mac’s IP address of

That’s it! Now just wait for an app on your iPhone to initiate outbound traffic. The proxy will capture and record it, like this:

Create a wireless bridge with a cheap TP-Link router

The TL-WR1043 router from Chinese manufacturer TP-Link is one of the most capable AND inexpensive routers on the market today.  With four Gigabit Ethernet LAN ports, Wireless-N, and a cost of only $54 (at the time of this writing), you cannot find a better value. And it efficiently solves a problem many people have: insufficient wireless coverage.

If your home is large or prone to Wi-Fi “dead spots” where the signal is weak, you can use a wireless bridge to help overcome these problems.  A bridge does exactly what it sounds like: it connects two Wi-Fi networks without the need for cabling. The bridge is nothing more than a second router that joins to your existing network, and extends its range. A bridge also increases the number of wired devices you can connect to your home network via the wired Ethernet ports on the back of it.  Anything you connect there is also connected to your home network,  enabling you to connect devices without onboard Wi-Fi, such as DVD players or game consoles.

To do this, you need two routers, a laptop, and an Ethernet cable. This article assumes one of those two routers is already setup and functioning as your primary Wi-Fi router, and the other is out-of-the-box, unconfigured TP-Link TL-WR1043 router . It will be referred to as the “bridge router” in this article. It is also recommended that you update the router to the latest firmware version from TP-Link before proceeding (3.13.4 Build 110429 Rel.36959n as of this writing)

Here is how you build the bridge:

1) Write down your existing wireless settings
Open up the web-based management console on your existing, primary router. Browse to the Wireless/Wireless Settings section and write down the values for channel, SSID, transmission mode, and the wireless security method and password in use. You will need these value later when you configure the bridge router.

2) Connect the bridge router
Connect the bridge router directly to your laptop with an ethernet cable plugged into any of its four LAN ports. Disable the laptop’s wifi connection, which will ensure your laptop is only talking only to the router. Power the router on, and your laptop should obtain an IP address from it.

3) Open the Administration console
Open a web browser and go to the bridge router’s administration page at; you will be prompted for the default password of admin/admin

4) Select the Wireless/Wireless Settings section.
In this section, set a different Wireless Network Name (SSID) from the one used by your primary router. Then set all of the other settings on this page to match your primary router. After making these changes, you will be prompted to reboot the router, which you must do to ensure these changes take effect. After the reboot, move on to the next step.

5) Give the bridge router a different IP.
Open the router management console once again, and select the Network/LAN section. In this section, you will see that the router has a default IP address of, which is the same IP address as your primary router. In order to avoid an IP address conflict, change the IP address of the bridge router to  You will need to reboot the router after making this change.

6) Setup the bridge
In the router management console, browse again to the Wireless/Wireless Settings section. This time, tick the checkbox entitled “Enable WDS Bridging.”  This will open a drop-down section with a number of new settings.  You will need to fill in the “SSID(to be bridged”) and the “BSSID(to be bridged)” sections. The fastest way to do this is click the “Survey” button. This will open a new window called “AP List” which shows you all the Wi-Fi networks in range. Look for your primary router in the list by its name (SSID), and click the “Connect” link on the right.

You will notice that the SSID and BSSID sections are now filled out properly. Now simply enter the wireless security values you copied from your primary router. It should look something like this, with the sections with red arrows filled in. Save the settings, and your router will reboot and join your existing Wi-Fi network.

7) Disable DHCP
Since your primary router will be handing out IP addresses on your network, you do not want the bridged router also trying to assume this role. Select the DHCP/DHCP Settings section, and disable the DHCP server.

Then choose the System Tools/Reboot section, and reboot the router for the last time.

8) Reconnect to your primary router.
Disconnect the Ethernet cable from the bridge router and reenable your Wi-Fi. You should now see two possible SSID’s for you to connect to: the primary router and the new bridge router. Connect to the primary router, as you would normally do.

9) Validate the bridge setup.
You can perform a few tests to ensure your setup is configured correctly:
a) Browse to the administration page on the primary router. Select the Wireless/Wireless Statistics section. In this section, you should see the MAC Address of your bridge router, and some values in the Received and Sent Packets counters, indicating the connection is working. It should look like this:

Note that the MAC address of your bridge router should be printed on the bottom of the device.

b) Browse to the address, which is the management console of the bridge router. You should be able to resolve this address and login to the adminstration page on the bridge router without issue.

If both of these test pass, you should be reasonably certain your bridge is configured correctly and running.

10) Connect to the bridge
Now reset your Wi-Fi connection to the SSID of the bridge router.  You should be able to connect successfully, get an IP address through the primary router, and be able to connect to the Internet. You should also be able to connect a wired device to any of the LAN ports on the router and get to the Internet as well.

Configure your OS for Gigabit Ethernet

Get a new wireless router recently? If so, its a good bet that it has gigabit ethernet (GbE) capability that you can take advantage of.

Manufacturers have been slow to move away from the standard 10/100 network switches that were the mainstay of wireless routers for years.  However, today it is increasingly common to see routers with GbE switch ports.  Its also likely that your computer has a GbE network card built-in, if you bought it within the last five years.

Now that wireless routers have caught up, you need to setup your network card to enable GbE in your operating system.  Note: you can only use jumbo frames on a network if all devices, including the switch, support it. GbE also does not work over wireless connections.

The setting we will change is called “Jumbo Frames,” and enabling it will allow you to move packets around your wired home network much faster. Here is how you do it for the three major operating systems in use today:

1) Windows

Control Panel – Network and Sharing Center – Change Adapter Settings – Local Area Connection – Properties – Configure – Advanced tab – Jumbo Frame property

Set the value to the highest possible MTU value, which is usually a 9KB MTU, like this:

For a Mac, open System Preferences – Network – Ethernet – Advanced – Ethernet.  Select Configure: Manually and MTU:Custom settings.  This will bring up a textbox where you may enter in the 9000 value for jumbo frames:

For a Linux computer, edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file and add a line called “MTU=5000” like this:

Once you enable these settings, reboot your computer to ensure they take effect. Once complete,  ping another computer on your network (presuming it also has GbE enabled) with “ping <ip address> -f -l 9000” to verify that jumbo frames are enabled. You should see a normal ping response (but with a larger buffer size thanks to jumbo frames):

You can now begin moving files around your network at gigabit ethernet speeds!

A torn-down TCP session.

We recently fixed a problem where a user in London connected to an Oracle database server (using SQL Developer) in Atlanta.  She ran a query and then let the connection sit idle for 12 minutes while she answered email.  When she went back to run another query, SQL Developer just spun, ultimately failing with a connection timeout.

We broke out our trusty copy of Wireshark, and started sniffing on her workstation, hoping to see who was cutting off the conversation: the client or the server.

As you can see in the screen capture below, we have a normal Oracle TNS protocol conversation of PSH, ACK’s between her client at and the server at  At 72 seconds (1 minute) into the trace, everything is fine.  However, at 716 seconds (12 minutes) into the capture, the client tries to send a new SQL query to the server, and gets no response. It tries retransmitting its request several times-highlighted below as TCP Retransmissions, even marking one packet with the URG (urgent) flag to force the server to pay attention.

What is going on here?  Clearly the Oracle client still thinks it has a TCP-level connection with the Oracle server, but in reality the TCP session has already been torn down. We ultimately traced the problem back to a BlueCoat network appliance sitting between the user and the server that was disconnecting the session based on its own timeout value.

Real-world networking speeds

A 100 Mbit connection has the theoretical maximum bandwidth of 12.5MB/sec. Actual speeds are lower because of overhead and other factors. Expect to see a maximum of 7 MB/sec.

Gigabit (1000 Mbit) has a theoretical maximum bandwidth of 125 MB/sec. Expect to see actual speeds up to about 90 MB/sec in real life.

Useful netstat commands

View what IP’s are generating the most connections to your web server, from least to most connections:

netstat -anp |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

The result will look like this:


If you want to see how many connections are in a certain state of the TCP/IP handshake, use this command:
$ netstat -tan | grep ‘:80 ‘ | awk ‘{print $6}’ | sort | uniq -c

The result will look like this:


MS Network Monitor: Address listing

Its much easier to sniff using Microsoft Network Monitor when you import the addresses you care about in .adr format. Just create a text file, and add each address on a single line, like this:

1,’s Desktop,

Then start NetMon and import the addresses.

Sniffing a browser authentication

A 401 response message is used by an web server to challenge the authorization of a user agent connecting anonymously. After receiving a 401 response, a browser will include an Authorization header field with the next request. The Authorization field contains credentials with the authentication information of the user agent for the resource being requested.

I used Wireshark to sniff this request-response stream on an Apache web server (asking for a virtual host called “/manual” protected by Basic authentication), and it looks like this:

Client Server
HTTP Request(GET /manual)
HTTP 401 Authorization Required response to browser including WWW-Authenticate: Basic header

(Repeat TCP sequence again, but browser sends proper credentials this time, and gets a 304 Not Modified response)

Good quote about VLAN's

“VLANs, a method of creating independent logical networks within a physical network, are critical to hosting providers, because “clients in the dedicated market are very, very concerned about security,” Huber said. “They want their environment to be as close as possible to a physical dedicated server.” Virtualization takes care of operating system isolation, while a VLAN insulates a system from traffic on the remainder of the network.”