2

Since v3.0.0 Wireshark supports msgpack. I have a capture file containing msgpack messages encapsulated in UDP I want to dissect. The problem is that when I'm running:

tshark -r 1.pcap -d udp.port==60003,msgpack

I get following message:

tshark: Protocol "msgpack" isn't valid for layer type "udp.port"
tshark: Valid protocols for layer type "udp.port" are:

The list of supported protocol contains msgpack:

tshark -G protocols | grep msgpack
Message Pack    MsgPack msgpack

Here is the link to example capture file: https://drive.google.com/file/d/1qZO-WKgTValghMjC4kM56B-M1FlYg5C2/view?usp=sharing

Alexey R.
  • 183
  • 5
  • If msgpack has a port number like HTTP, then you would be able to use the `-d` decode-as flag. msgpack is a JSON alternative, so I'm guessing not. Can you provide a link to the packet capture containing the protocol? – Ross Jacobs Dec 15 '19 at 18:54
  • Here is the link to example capture file: https://drive.google.com/file/d/1qZO-WKgTValghMjC4kM56B-M1FlYg5C2/view?usp=sharing – Alexey R. Dec 15 '19 at 19:12
  • I lied. You should be able to decode-as msgpack. This looks like a bug. I'll post an interim solution though VVV – Ross Jacobs Dec 16 '19 at 00:56

1 Answers1

1

It is not possible to decode as msgpack in latest 3.07 tshark & Wireshark (i.e. this looks like a bug). If you are feeling virtuous, you can file one.

You can still access the data layer that comes after layer 4. We can use shell magic to do the equivalent of decoding the layer with the file you provided:

# Unix-like (Macos/Linux/BSD) systems ship with xxd.
# WSL on Windows will also have it.
bash$ tshark -r msgpack.pcap -T fields -e data | xxd -p -r | msgpack2json && echo
{"message_type":"complete_caching","generation":123992}

Here, we

  • Print the data field with tshark as ASCII hex
  • Use xxd to convert from text hex to bin hex
  • Use msgpack2json from msgpack-tools to convert the binary data back to JSON.
Ross Jacobs
  • 2,962
  • 1
  • 17
  • 27