How to dissect UDP msgpack using Wireshark/tshark?

2
votes

Since v3.0.0 Wireshark supports msgpack. I have a capture file containing msgpack messages encapsulated in UDP I want to dissect. The problem is that when I'm running:

tshark -r 1.pcap -d udp.port==60003,msgpack

I get following message:

tshark: Protocol "msgpack" isn't valid for layer type "udp.port"
tshark: Valid protocols for layer type "udp.port" are:

The list of supported protocol contains msgpack:

tshark -G protocols | grep msgpack
Message Pack    MsgPack msgpack

Here is the link to example capture file: https://drive.google.com/file/d/1qZO-WKgTValghMjC4kM56B-M1FlYg5C2/view?usp=sharing

1
wiresharktsharkmsgpackwireshark-dissector
If msgpack has a port number like HTTP, then you would be able to use the -d decode-as flag. msgpack is a JSON alternative, so I'm guessing not. Can you provide a link to the packet capture containing the protocol?Ross Jacobs
Here is the link to example capture file: drive.google.com/file/d/1qZO-WKgTValghMjC4kM56B-M1FlYg5C2/…Alexey R.
I lied. You should be able to decode-as msgpack. This looks like a bug. I'll post an interim solution though VVVRoss Jacobs

1 Answers

1
votes

It is not possible to decode as msgpack in latest 3.07 tshark & Wireshark (i.e. this looks like a bug). If you are feeling virtuous, you can file one.

You can still access the data layer that comes after layer 4. We can use shell magic to do the equivalent of decoding the layer with the file you provided:

# Unix-like (Macos/Linux/BSD) systems ship with xxd.
# WSL on Windows will also have it.
bash$ tshark -r msgpack.pcap -T fields -e data | xxd -p -r | msgpack2json && echo
{"message_type":"complete_caching","generation":123992}

Here, we

  • Print the data field with tshark as ASCII hex
  • Use xxd to convert from text hex to bin hex
  • Use msgpack2json from msgpack-tools to convert the binary data back to JSON.