While debugging some problems we were having with TCP performance, I wanted a way to visualize the MQTT traffic stream a little better in wireshark. I found Wireshark Generic Dissector and thought it should be useful, seeing as I had no desire to start writing C code for packet decoding. WSGD looks to be pretty interesting for writing decoders for private protocols and the like, but there aren’t many other examples of how it’s used. I got helpful prompt help from the lead developer though, so even though it’s a little arcane, it’s still something I can recommend :)
MQTT decoding in Wireshark through WSGD
My decoding isn’t complete, by any means, but given the complete lack of any other examples out there, I thought this would probably be helpful, even in it’s current state. You’ll need to install WSGD as per the instructions at that site, and then you’ll need this zip….
Just follow the instructions here and by all means, let me know how you go :)
Update: 2014-02-01: There’s an alternative lua plugin, available on github. I haven’t tried it, but lua plugins are actually easier to use and extend. If I’d know about the lua plugin style (and known lua) at the time, I would have done it that way. Note, I haven’t actually _tried_ the lua plugin yet :)
Hi,
I tried as per the steps to decode mqtt messages but unable to do it.I was trying the sample applications and followed up the instructions given here to decode mqtt message.I am getting no mqttv1.3 messages in my wireshark 1.6.2. What could have gone wrong. I kept all the three files (mqtt3.1.wsgd, mqtt3.1.fdesc, and generic.dll) in the plugins/1.6.2 folder and started wireshark. but could not get any mqtt messages.
Please let me know.
Thanks&Regards
Ajay
Hi,
As reference to my previous posting, I am properly getting MQMT message.Sorry there was mistake in my part.
Thanks&Regards
Ajay
Excellent :) Just as well, I didn’t really have any good ideas on what would have been wrong anyway :)
Thanks…! Great work.
I haven’t still tried out but this is so much helpful :)
Cheers.
Hello,
For anyone scratching their heads after using this dissector, there is an error in the length of the payload of PUBLISH messages in mqtt3.1.fdesc (line 110).
It should be accounting for topic length:
raw(rem_length – 2 – topic.string_length) payload;
or you could also set the total packet size and use
raw(*) payload;
Still, extremely useful work, thanks a lot!
Cheers
Thanks..great work.
@emmanuel yeh..i was looking for it .thanks
Do you have a sample capture file of the traffic you decoded using this?
Not that I have kept lying around, no. It’s kind easy to capture your own though, why do you need a particular sample from me?
For anyone who might be wondering why only replies (perhaps nothing at all?) gets identified and decoded as protocol = MQTTv3.1, you might want to untick the “allow subdissector to reassemble TCP streams” option under “Protocol preferences” in the context menu for TCP messages, before you start pulling your hair out…
Thank you for this…. as you say very little other examples online of this stuff.
My company uses a simple, custom protocol built in-house and I needed to build a descriptor. Eventually I was able to do it, in no small thanks to your post.
Thank you!