I enter "amqp" keyword to filter the request/response in Wireshark on mac, my mac version is macOS version Sierra 10.12.6, while this keyword doesn't work at all after I click "Start capturing packets". while the rabbitmq client does receive the message sent. could someone help to resolve this issue? thanks in advance. asked 23 Oct '17, 02:22  hailongshih |
2 Answers:
Are you attempting to use it as a Capture Filter, i.e. in the filter field just above the interface list that is preceded by the text "Capture ...using this filter:"? If so, then this won't work as amqp is not valid for a capture filter, but is valid for a display filter. You can try using a capture filter of "port 5672" for regular unencrypted amqp traffic, but your environment may vary If your amqp traffic is using TCP on the standard port (5672) then it should be automatically dissected, and if running on TLS using the standard port (5671) and if you have decryption correctly configured that should be automatically dissected as well. answered 23 Oct '17, 05:14  grahamb ♦ |
Hi Guy, I'm sure that rabbitmq on my mac uses the default port 5672 and I find mongo in display filter doesn't work neither while using the default port 27017. do you use teamViewer so that we can have a screen sharing? thanks answered 26 Oct '17, 23:50 hailongshih |
...on any platform, not just macOS.
You could, however, use
port amqpon at least some platforms to capture on the standard port 5672.Thanks grahamb. I did use keyword "amqp" in the display filter but still no results. "port 5672" in capture filter will be automatically transfered to "amqp" as well, all failed and no packets are captured.
If you capture without a capture filter, and then apply the display filter
amqp, what TCP ports are the packets going to and coming from? If neither of them is 5672, then your AMQP traffic is not using the standard port 5672, and you will have to find out what port it is using, and useport XXXX, whereXXXXis the port it's using, as the capture filter.