This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I have installed Wireshark v1.12.6.0 to inspect AMQP 1.0 network traffic. But the protocol column in Wireshark only contains "TCP" instead of "AMQP" for the inspected traffic. I expected that AMQP message packets would have been recognized automatically? If I right click on a selected row I can do "Decode as..." --> AMQP but I don't see any decoding happen.

Is the AMQP 1.O dissector contained in Wireshark v1.12.6.0?

If yes, what do I have to do to decode the AMQP network traffic to get the payload of the messages (TCP segment data) in a human readable format (XML)?

If not what do I have to do to make the dissector running in Wireshark.

Regards, Erik

asked 08 Jul '15, 06:16

ErikAs's gravatar image

ErikAs
6114
accept rate: 0%

converted to question 08 Jul '15, 07:02

grahamb's gravatar image

grahamb ♦
19.8k330206


Is the AMQP 1.O dissector contained in Wireshark v1.12.6.0?

I think so (at least source code for the version contains the patches from https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9612).

Is the AMQP 1.0 traffic sent via TCP port 5672? If not, right-click to some frame with TCP data (PSH bit enabled), select "Decode as", in Transport tab chose AMQP in right pane and click to OK (this will decode just the TCP flow of the selected frame but I think you get the point).

If AMQP 1.0 traffic is sent via port 5672, then either Wireshark cant decode a bit of conversation or the traffic is malformed (i.e. tcpdump -s <very_small_value> used). Would it be possible to share the tcpdump to provide more accurate answer? Anyway once Wireshark attempts to decode some frame as some protocol (here AMQP) and fails, it provides error/warning expert info (coloured bullet in left down corner of the application window) - that could be also valuable to check.

Yet another option is your AMQP traffic is sent over SSL (here usually on port 5671) i.e. encrypted. Then there is no way to decode it in Wireshark (or I am not aware of such a method).

permanent link

answered 19 Jul '15, 11:30

Pavel%20Moravec's gravatar image

Pavel Moravec
61127
accept rate: 0%

Hi Pavel,

thanks for the answer.

Yes the AMQP traffic is not sent over port 5672 and sent over a SSL encrypted connection. So there is now chance to dissect the AMQP traffic in this case?

I thougt about letting Wireshark decode the SSL encrypted packets (like described here: http://packetpushers.net/using-wireshark-to-decode-ssltls-packets) first and then using the AMPQ dissector to dissect the decrypted data. But this does not seem to work either.

Regards, Erik

(20 Aug '15, 02:28) ErikAs

You'll need the SSL master key, which isn't easy to come by, that's the point of SSL after all. Is your AMQP traffic from Azure?

(20 Aug '15, 03:59) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×5

question asked: 08 Jul '15, 06:16

question was seen: 1,885 times

last updated: 20 Aug '15, 03:59

p​o​w​e​r​e​d by O​S​Q​A