Wireshark captures the mqtt message of Websocket

1. Overview

This document records how to use the Wireshark packet capture tool to capture MQTT packets based Websocketon .

Wireshark is a free and open source network packet capture tool. The new version of Wireshark can directly capture TCP -based MQTT messages, while TCP-based Websocketmessages need to be implemented through plug-ins.

2. Installation

2.1 Install Wireshark

Download and install the latest version directly:

https://www.wireshark.org/#download

There is a step in the installation prompting to use nacp instead of winnacp; check this box so that Wireshark can resolve 127.0.0.1such loopback addresses.

2.2 Installing plugins

  1. First, create a new file on your computer mqttws.luaand add the following code into it:

Code language: lua

copy

local mqttws = Proto("mqttws", "MqttOnWebsocket");

local f_proto = ProtoField.uint8("mqttws.protocol", "Protocol", base.DEC, vs_protos)
local f_dir = ProtoField.uint8("mqttws.direction", "Direction", base.DEC, { [1] = "incoming", [0] = "outgoing"})
local f_text = ProtoField.string("mqttws.text", "Text")

mqttws.fields = { f_proto, f_dir, f_text }

wsField = Field.new("websocket")
wsDataField = Field.new("data.data")

pParsed = {}
pMqttMsgIndex = {}
mqttMsgTable = {}
mqttMsgIndex = 0

function mqttws.dissector(tvb, pinfo, tree)
	if wsField() ~= nil then
		local dataField = wsDataField()
		if dataField ~= nil then
			if pParsed[pinfo.number] == nil then
				pParsed[pinfo.number] = true
				local mqttData = mqttMsgTable[mqttMsgIndex]
				if mqttData == nil then
					mqttData = dataField.range:tvb():bytes()
				else
					mqttData:append(dataField.range:tvb():bytes())
				end
				mqttMsgTable[mqttMsgIndex] = mqttData
				if mqttData:len() >= 2 then
					local mqttMsgLength = tonumber(mqttData:get_index(1)) + 2
					if mqttMsgLength <= mqttData:len() then
						pMqttMsgIndex[pinfo.number] = mqttMsgIndex
						mqttMsgIndex = mqttMsgIndex + 1
					end
				end
			end
			local msgIndex = pMqttMsgIndex[pinfo.number]
			if msgIndex ~= nil then
				local mqttData = mqttMsgTable[msgIndex]
				local mqttTvb = ByteArray.tvb(mqttData, "Reassembled mqtt data")
				local mqtt = Dissector.get("mqtt")
				mqtt:call(mqttTvb, pinfo, tree)
			end
		end
	end
end

register_postdissector(mqttws)
--local websocket = Dissector.get("websocket")
--local tcp_dissector_table = DissectorTable.get("tcp.port")
--tcp_dissector_table:add(9001, websocket)
--local ws_dissector_table = DissectorTable.get("ws.protocol")
--ws_dissector_table:add("mqtt", mqttws)
  1. Find C:\Program Files\Wireshark\init.luathe file (if you have not changed the default installation directory), and add a line of code at the end of the file:

Code language: lua

copy

dofile("The path you saved\\mqttws.lua")
  1. Restart Wireshark

3. Usage Guide

Wireshark packet capture and analysis is usually divided into two steps, the first step is capture , the second step is analysis . The two have corresponding different selectors, so don’t confuse them.

3.1 Capture

  1. First select the network card through which the data flows and capture the packet:
Wireshark MQTT Websocket

Here I chose Adapter ....the network card with the loopback address because my service runs on this machine; I used the capture tool port 8001because the websocket of the mqtt service works on this port.

  1. Select Start to enter the capture mode:

3.2 Analysis

  1. Wireshark will capture multiple layers of tcppackets . At this time, we can use filters to directly filter out the packets we want:websocketmqttmqtt