Jamf Nation Community

Recently we have had to use a tool called rvictl better known as the Remote Virtual Interface (RVI) mechanism. What is this fancy tool you might ask? It helps you create a virtual interface to capture network information using your Mac and iOS device in the event capture is needed for troubleshooting. We recently needed this for Cisco and an Apple engineering support case. 

There are a few articles we have used to be successful. We found out the tool and its use in macOS is finicky at best.

There are a few things to know:

1. Currently, the use of the tool in macOS Monterey is not recommended. Although we did get the tool to set up the virtual interface it is not stable. To get the interface created it requires turning off SIP (System Integrity Protection).  And even then the interface will randomly shut down.
2. It is recommended to use the tool in macOS Big Sur or Catalina. 
3. You will need XCode, and the Mobile Device Development package found within XCode. 
4. Also, there is some confusion in the Apple documentation on where this tool lives in Big Sur and where the launch daemon lives. I am here to help you!
5. You need to use XCode to copy the device identifier to use with RVI

Start by installing XCode, then look to this location to find and install the MobileDeviceDevleopment.pkg:

/Applications/Xcode/Contents/Resources/Packages/MobileDeviceDevelopment.pkg

You can install the package from the Finder or run it from the terminal using the installer command.

Next, was a confusing part, you will want to ensure the tool is started and it lives here: 

/Library/Apple/usr/libexec/rpmuxd

You can execute the tool using the macOS terminal, there will be no immediate output: 

$/Library/Apple/usr/libexec/rpmuxd

Next was another confusing part, you would think the LaunchDaemon would be where they all live, but it is in this location: 

$/Library/Apple/System/Library/LaunchDaemons/com.apple.rpmuxd.plist

Next, you need to ensure it is running so test with this command: 

$sudo launchctl list com.apple.rpmux

If your output is this, you are good to go: 

{
"LimitLoadToSessionType" = "System";
"MachServices" = {
"com.apple.rpmuxd" = mach-port-object;
};
"Label" = "com.apple.rpmuxd";
"OnDemand" = true;
"LastExitStatus" = 0;
"Program" = "/Library/Apple/usr/libexec/rpmuxd";
"ProgramArguments" = (
"/usr/libexec/rpmuxd";
);
};

If your output is the following, the LaunchDaemon is not started/running. 

"Could not find service "com.apple.rpmuxd" in domain for system"

To start the LaunchDaemon you run this command:

$sudo launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.rpmuxd.plist

In Apples troubleshooting document the path is listed as:  

$/System/Library/LaunchDaemons/com.apple.rpmuxd.plist

I hope you can see the confusion.

Now you have the apps installed, the service started, and you have verified it is running. Now you can move forward with setting up your virtual interface.

Here is how it is done.

In terminal launch the tool with no commands, look at the tool options: 

$ rvictl

rvictl [-h][-l][-s <udid1> ... <udidN>][-x <udid1> ... <udidN>]

Remote Virtual Interface Tool starts and stops a remote packet capture instance

for any set of attached mobile devices. It can also provide feedback on any attached

devices that are currently relaying packets back to this host.

Options:

-l, -L List currently active devices

-s, -S Start a device or set of devices

-x, -X Stop a device or set of devices

The next step was confusing while also being a bit hilarious. You should use XCode to identify and copy the UUID of the iOS device you're going to create the virtual interface for. I am not saying you need to I am saying you MUST do it as.... drum roll the UUID must be all lowercase, not upper-case alphas, as the UUID is seen in Apple Configurator 2. This was a big hiccup for us. 

Plugin your iOS device and Trust the Device or not that is up to your configuration. Then with XCode open go to: 

Window > Devices and Simulators and copy the Identifier: c227f1e0a99dbba.......................

Ok now you have the UUID, what is next, well now you run the command using that information:

$ rvictl -s c227f1e0a99dbba.......................

You will see a popup stating the need to allow a system extension. The system extension only needs to be allowed once.

Open System Preferences > Security and Privacy > General, allow, and then restart:

Try again:

Verify the service:

$sudo launchctl list com.apple.rpmux

Then:

$ rvictl -s c227f1e0a99dbba.......................

Starting device c227f1e0a99dbba....................... [SUCCEEDED] with interface rvi0

If you see a FAILED notification again, ensure you're using the UUID identifier from XCode.

Example:

Starting device c227f1e0a99...................... [FAILED]

You can list all available interfaces if you continue to see failures:

$ ifconfig -l

lo0 gif0 stf0 en0 en1 en2 p2p0 awdl0 bridge0 `rvi0`

Once the interface is created and verified you can use tcpdump to capture the information:

$ sudo tcpdump -i rvi0 -w /Users/joe/Desktop/trace.pcap

Output you will see:

tcpdump: WARNING: rvi0: That device doesn't support promiscuous mode

(BIOCPROMISC: Operation not supported on socket)

tcpdump: listening on rvi0, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes

Let's break this tcpdump command down:

1. tcpdump is the built-in command to gather the capture in macOS
2. -i is to choose your interface for capture
3. -w is to write the capture to a file of your name and choice
4. trace.pcap is the name of the file you want to be saved

When done with the capture remember to terminate the session, you can do this by using the -x command:

$ rvictl -x c227f1e0a99dbba.......................

Stopping device c227f1e0a99dbba....................... [SUCCEEDED]

To sum up the important parts:

• Use the correct macOS operating system to avoid headaches
• Use the correct XCode for the macOS
• Install the MobileDeviceDeveloper package from within the XCode package
• Start the rvictl tool
• Verify the LaunchDaemon status
• Capture the correct UUID identifier using XCode
• Use tcpdump to capture the information on the correct interface and save it to a location of your choice. 

I recommend testing with the rvictl command and with tcpdump. There are many things that can be done with those tools. My intention was to help clear up tool locations and consolidate corrections we found in other forums. 

I hope this information helps the community.

Good luck!