This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

UPNP with VNC protocol

0

Hi All,

I am trying to control my Satellite box with my Automation system for that i need IP commands of box.

the satellite box has its own app. I have used wireshark to capture the Communication between Mobile app and Box. After two days of head Bank i understand the its uses UPNP to communicate and when i send key press commands from mobile app to box the wireshark output shows "VNC" and this is beyond my understanding.

Can someone please help me out in this. I have uploaded the wireshrk file on Google driver. Please find the link below.Any help will be greatly appreciated.

Source IP Address(Mobiel App): 192.168.1.134 Satellite Box IP Address: 192.168.1.227

Wireshark File Attachement

asked 22 Dec '16, 12:15

cylon147's gravatar image

cylon147
6113
accept rate: 0%

One Answer:

2

The traffic on TCP port 5900 is interpreted as VNC since this is the standard port for VNC. If this is not VNC, as you have stated, simply disable the VNC dissector to get back to raw TCP payload data.

answered 22 Dec '16, 13:34

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Hi,

I have tried as you have mentioned but frankly speaking it is not making sense to me. Can you please elaborate.

I have uploaded two file one with VNC enabled and another one is with Disabled.This packets are of Pressing Down button on Mobile App.

Without VNC

https://drive.google.com/file/d/0Bz8ehuXLuisYUE5MZGlmckRkV1k/view?usp=sharing

With VNC

https://drive.google.com/file/d/0Bz8ehuXLuisYYTJMM2xjendxVGc/view?usp=sharing

(22 Dec '16, 23:23) cylon147
1

The difference is not in the capture of the frames, it's in the interpretation. Therefore it doesn't matter if you have the VNC dissector (or any dissector for that matter) enabled or disabled during capture, the packets are captured nonetheless (with the exception of frames discarded by the capture filter, but that is not applicable here). Its only when presenting the packets to you that the dissector configuration comes into play.

(23 Dec '16, 01:27) Jaap ♦
1

On the other hand, inspection of your capture file called Down Button.pcapng has the telltale signs of VNC. When you look in frame 14, it's TCP payload says: "52 46 42 20 30 30 33 2e 30 30 38 0a", which matches perfectly the Remote Framebuffer Protocol ProtocolVersion Handshake. So contrary to your initial statement, I do think this is VNC.

(23 Dec '16, 01:36) Jaap ♦

can you please chime in for what app is sending to box.

From my understanding app asked for Description file. Box sends Description file In XML format.

But i could not find the Down Button Commands that i have sent. There is not indication of anything.

(23 Dec '16, 01:40) cylon147
1

A quick look at Down Button.pcapng shows that frame 23 contains a Remote Framebuffer Protocol KeyEvent, Where key with code E101 goes down and back up.

In short, you should read up on Remote Framebuffer Protocol and implement that, because that's what's going on. How to do that is out of scope of this Q&A

(23 Dec '16, 04:21) Jaap ♦

Thanks a lot mate. I will read up more.

(23 Dec '16, 06:21) cylon147
showing 5 of 6 show 1 more comments