Hi, I have installed Wireshark v1.12.6.0 to inspect AMQP 1.0 network traffic. But the protocol column in Wireshark only contains "TCP" instead of "AMQP" for the inspected traffic. I expected that AMQP message packets would have been recognized automatically? If I right click on a selected row I can do "Decode as..." --> AMQP but I don't see any decoding happen. Is the AMQP 1.O dissector contained in Wireshark v1.12.6.0? If yes, what do I have to do to decode the AMQP network traffic to get the payload of the messages (TCP segment data) in a human readable format (XML)? If not what do I have to do to make the dissector running in Wireshark. Regards, Erik asked 08 Jul '15, 06:16 ErikAs converted to question 08 Jul '15, 07:02 grahamb ♦ |
One Answer:
I think so (at least source code for the version contains the patches from https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9612). Is the AMQP 1.0 traffic sent via TCP port 5672? If not, right-click to some frame with TCP data (PSH bit enabled), select "Decode as", in Transport tab chose AMQP in right pane and click to OK (this will decode just the TCP flow of the selected frame but I think you get the point). If AMQP 1.0 traffic is sent via port 5672, then either Wireshark cant decode a bit of conversation or the traffic is malformed (i.e. tcpdump -s <very_small_value> used). Would it be possible to share the tcpdump to provide more accurate answer? Anyway once Wireshark attempts to decode some frame as some protocol (here AMQP) and fails, it provides error/warning expert info (coloured bullet in left down corner of the application window) - that could be also valuable to check. Yet another option is your AMQP traffic is sent over SSL (here usually on port 5671) i.e. encrypted. Then there is no way to decode it in Wireshark (or I am not aware of such a method). answered 19 Jul '15, 11:30 Pavel Moravec |
Hi Pavel,
thanks for the answer.
Yes the AMQP traffic is not sent over port 5672 and sent over a SSL encrypted connection. So there is now chance to dissect the AMQP traffic in this case?
I thougt about letting Wireshark decode the SSL encrypted packets (like described here: http://packetpushers.net/using-wireshark-to-decode-ssltls-packets) first and then using the AMPQ dissector to dissect the decrypted data. But this does not seem to work either.
Regards, Erik
You'll need the SSL master key, which isn't easy to come by, that's the point of SSL after all. Is your AMQP traffic from Azure?