This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark AMQP Plugin

0

Hi How do you install and make use of the AMQP plugin (or dissector) for Linux? I am running a Redhat 5.5 system, have Wireshark v1.0.8 installed but do not know how to get the AMQP plugin online?

Can you help please? I have searched for hours for online docs etc. but have come up with nothing :(

Many thanks, any help is appreciated.

Brgds, David

asked 04 Jul '12, 05:34

David%20Thompson's gravatar image

David Thompson
1111
accept rate: 0%

One Answer:

0

The amqp dissector is part of Wireshark proper (even though it says AMQP v0-9, 0-10 Wireshark dissector plug-in at the beginning of the source file.

(I've fixed the comment in the development version source file to remove the word 'plugin').

The amqp dissector was added to Wireshark in a version prior to 1.0.8.

So: the dissector is not a plugin and should be called if a capture file contains packets on tcp port 5672. (You can use Analyze ! Decode As if a different TCP port is being used).

Are you having a problem wherein the amqp dissector isn't being called to dissect amqp packets in a capture file ?

answered 04 Jul '12, 05:55

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 04 Jul '12, 06:06

Hi

Thanks for getting back. Ok, so the AMQP dissector plug-in is included in my build, great.

Yes, I think I may have a problem in that case. When I run 'wireshark' the GUI (Gnome) opens fine. But when I close the GUI I see "Warn Dissector bug, protocol AMQP, in packet 58772: packet-amqp.c:2091: failed assertion "(0)"". This is repeated hundreds of times in the terminal I started 'wireshark' in.

Any clues?

/David

(04 Jul '12, 07:03) David Thompson

This is the result of the dissectors not understanding the AMQP type. Not really a bug, just that it only understands AMQP_FRAME_TYPE_METHOD(1), AMQP_FRAME_TYPE_CONTENT_HEADER(2) and AMQP_FRAME_TYPE_CONTENT_BODY(3).

(04 Jul '12, 07:40) Jaap ♦

A little further research indicates that reporting unknown message types as "dissector bugs" was fixed a while back (Jan 2011).

Unknown message types are now reported with an explicit "Unknown Frame Type" message in the packet details dissection.

See: Bug 4048

This fix was included in Wireshark1.2.14 and Wireshark 1.4.3 which were both released in January 2011.

So: It seems you are using an older version of Wireshark.

If possible you may want to consider upgrading to the latest stable version of Wireshark (1.8.0).

(05 Jul '12, 07:50) Bill Meier ♦♦