iPhone: You're Sexy, but You Talk Too Much

Last week at Sharkfest I blabbered on a bit about the chatty nature of my iPhone (3G). I equated it to a yapping Chihuahua on the network. I'm still playing around a bit with numerous trace files and will have some to give away soon, but I wanted to explain how to capture your iPhone traffic and understand one of the packets that you'll see over and over and over and (you get it) again in your traffic.

I'm hanging out today on my Vista 64 system that I host the live seminars from. (No... I do not have a sexy MAC on my desk - but I do have two televisions within 10 feet of me to constantly feed me my much-needed background noise through the day.)

Before launching Wireshark or turning on my iPhone - here's what I did:

1. I hooked up a powered USB hub and populated it with three AirPcap adapters.
2. I opened the AirPcap control panel and configured each adapter to listen to a different channel - channels 1, 6 and 11.
3. I added my encryption keys in AirPcap.

Now I launched Wireshark and selected the AirPcap Multi-Channel Aggregator interface for my capture. Then I turned on my sweet, sexy-looking iPhone and...

OUCH! I watched my iPhone locate the WLAN APs, but it did not make an authentication/association until 60 seconds after I entered my passcode. Perhaps it wanted a bit more of a commitment from me? Or flowers? Or a new case?

During the startup sequence there were some unique DHCP and ARP happenings (we'll cover in a later blog) and a slew of mDNS packets. So, you ask... what the heck is mDNS and do I want 'em on my WLAN? mDNS stands for multicast DNS and is used to discover local devices as part of the zeroconfig project definition (Apple calls it Bonjour - they are so cool!). You don't need a DNS server to discover mDNS-capable devices. mDNS runs over UDP port 5353. Just use a udp.port==5353 filter or the dns display filter in Wireshark to see all mDNS and DNS traffic or build a filter for all ip.addr==224.0.0.251 traffic (the IPv4 mDNS multicast address) or ipv6.addr==FF02::FB, in the case of IPv6.

Want to try it out? On your iPhone, search in the AppStore for mDNS Watch. It's free so install it and watch it list all the mDNS-capable devices around you. In my lab it discovered my HP Officejet Pro L7700 printer and it showed me the three ports that were open on that printer - ports 513, 80 and 9100. Hmmm... this could be interesting, couldn't it?

For more information on mDNS, visit http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt.

Now... back to that hot, sexy and really verbose iPhone to work on the strange DHCP and ARP behavior (much of which is related to Bonjour).

Free AirPcap Adapters at Sharkfest!

Two things have been foremost on my plate this week - Sharkfest registration opened and the Chappell University beta program launched. I'll blog about Chappell University next - first, I want to make sure you know how to get a free AirPcap adapter to capture wireless traffic with Wireshark!

Did you catch last year's Sharkfest Developer and Users Conference? Set in a laid back campus and swarming with Wireshark developers and fantatics, Sharkfest '08 gave us all a chance to mingle, discuss Wireshark tips and tricks, banter about ideas for enhancements and toast to the 10th anniversary and growth of a simple packet capture tool called Ethereal into the industry-leading analyzer Wireshark!



Sharkfest '09 will be held at Stanford University in Palo Alto, California on June 15-18th and CACE Technologies is giving every registered attendee a FREE AIRPCAP CLASSIC ADAPTER! This is a great deal considering the conference is less than $200/day and the initial session offering is filled with basic through advanced analysis techniques for wired and wireless networking.



Check out www.cacetech.com/sharkfest.09 for details on the event and register today to get your free AirPcap adapter!

See you at Sharkfest!

Laura