This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how does wireshark know the given packet is rtmp packet

0

I am building a RTMP parser for which I have certain use cases as given below -

  1. How to know if the packet I am parsing is RTMP handshake packet or RTMP message packet ? This is because I might start monitoring the RTMP stream after the handshake has been done between the client and the server.

  2. How to know I am at the start of the RTMP packet ? This is because I might be parsing from the middle of the RTMP packet or from anywhere inside the packet body. In that case how to determine how many bytes to skip.

  3. How to know the payload inside TCP is of RTMP ?? The data can correspond to any other data too.Hence how to determine the payload consists of rtmp data ? Any help on this ?? I am stuck with this for quite some time and I am unable to figure out anything from the adobe specification for RTMP.Information in the specification is very limited .

asked 03 Oct '16, 05:14

abhinay's gravatar image

abhinay
6223
accept rate: 0%

edited 03 Oct '16, 07:07

sindy's gravatar image

sindy
6.0k4851

One Answer:

0

From the comments in the dissector code, there's little to go on.

answered 03 Oct '16, 06:55

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Can you please specify which part in the code does the given thing ??

(03 Oct '16, 22:11) abhinay

@Jaap Is there a way to get only RTMP data in a file from wireshark's captured data ??

(06 Oct '16, 05:26) abhinay