0

I need to to capture RTMP traffic between two virtual machines (server and client) or atleast have the server and client on the same machine and capture the traffic. I am able to capture the traffic if I run wireshark on the host rather than on the VMs. But I need to capture it on the VM to be able to manipulate it.

sendmoreinfo
  • 1,772
  • 13
  • 34
ssn
  • 111
  • 5
  • What VM host software are you using? What OS(es) is(are) the guests running? As j_bombay asked, what happens when you run Wireshark on a guest? – Gerald Combs Sep 26 '12 at 20:10
  • I am using VMWare Workstation. The guests are running Win XP Prof SP3 x86. When running wireshark in the VM i see no rtmp packets. I am assuming that wireshark is not decoding the packets as rtmp on it's own . Is that the usual scenario? – ssn Oct 05 '12 at 00:32
  • Wireshark will show whatever traffic the underlying OS, NIC driver, and NIC hand it. Virtualization adds another layer of complexity to this and different VMware products and even different versions within the same product line require different tools and techniques. Depending on your host platform and the version of VMWare Workstation you're running you might have to run a separate capture utility (e.g. "vmnet-sniffer" or "vnetsniffer") or enable promiscuous mode in the VMWare network configuration. – Gerald Combs Oct 05 '12 at 16:21

1 Answers1

0

So what happens when you run Wireshark on the VMs? I would turn off promiscious mode, which will only monitor traffic being transmitted or received on that specific VM, instead of listening to all network traffic on the wire. Also I would make sure you are selecting the correct network interface from the drop down menu if there are multiple interfaces, before I start the capture mode. What exactly are you seeing on the server and client VMs when you run Wireshark?

j_bombay
  • 101
  • Whether I turn promiscuous mode ON/OFF, wireshark does not capture any rtmp packets on both VMs (client and server) or on the single VM (client/server). As I mentioned in the comments above, I assuming the packets are being decoded as TCP rather than RTMPT. Any ideas on this? – ssn Oct 05 '12 at 00:32
  • Based on this wiki entry you can look for activity in wireshark in regards to TCP port 1935, for RTMP, otherwise RTMPT appears to be encapsulated in HTTP requests 80, 443 http://en.wikipedia.org/wiki/Real_Time_Messaging_Protocol – j_bombay Oct 05 '12 at 13:47