This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

“amqp” keyword doesn’t work for Wireshark on Mac

0

I enter "amqp" keyword to filter the request/response in Wireshark on mac, my mac version is macOS version Sierra 10.12.6, while this keyword doesn't work at all after I click "Start capturing packets". while the rabbitmq client does receive the message sent. could someone help to resolve this issue? thanks in advance.

asked 23 Oct '17, 02:22

hailongshih's gravatar image

hailongshih
6112
accept rate: 0%


2 Answers:

0

Are you attempting to use it as a Capture Filter, i.e. in the filter field just above the interface list that is preceded by the text "Capture ...using this filter:"?

If so, then this won't work as amqp is not valid for a capture filter, but is valid for a display filter.

You can try using a capture filter of "port 5672" for regular unencrypted amqp traffic, but your environment may vary

If your amqp traffic is using TCP on the standard port (5672) then it should be automatically dissected, and if running on TLS using the standard port (5671) and if you have decryption correctly configured that should be automatically dissected as well.

answered 23 Oct '17, 05:14

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

amqp is not valid for a capture filter

...on any platform, not just macOS.

You could, however, use port amqp on at least some platforms to capture on the standard port 5672.

(24 Oct '17, 11:35) Guy Harris ♦♦

Thanks grahamb. I did use keyword "amqp" in the display filter but still no results. "port 5672" in capture filter will be automatically transfered to "amqp" as well, all failed and no packets are captured.

(25 Oct '17, 23:48) hailongshih

If you capture without a capture filter, and then apply the display filter amqp, what TCP ports are the packets going to and coming from? If neither of them is 5672, then your AMQP traffic is not using the standard port 5672, and you will have to find out what port it is using, and use port XXXX, where XXXX is the port it's using, as the capture filter.

(25 Oct '17, 23:58) Guy Harris ♦♦

0

Hi Guy,

I'm sure that rabbitmq on my mac uses the default port 5672 and I find mongo in display filter doesn't work neither while using the default port 27017. do you use teamViewer so that we can have a screen sharing?

thanks

answered 26 Oct '17, 23:50

hailongshih's gravatar image

hailongshih
6112
accept rate: 0%