1. Overview
This document records how to use the Wireshark packet capture tool to capture MQTT packets based Websocket
on .
Wireshark is a free and open source network packet capture tool. The new version of Wireshark can directly capture TCP -based MQTT messages, while TCP-based Websocket
messages need to be implemented through plug-ins.
2. Installation
2.1 Install Wireshark
Download and install the latest version directly:
There is a step in the installation prompting to use nacp instead of winnacp; check this box so that Wireshark can resolve 127.0.0.1
such loopback addresses.
2.2 Installing plugins
- First, create a new file on your computer
mqttws.lua
and add the following code into it:
Code language: lua
copy
local mqttws = Proto("mqttws", "MqttOnWebsocket");
local f_proto = ProtoField.uint8("mqttws.protocol", "Protocol", base.DEC, vs_protos)
local f_dir = ProtoField.uint8("mqttws.direction", "Direction", base.DEC, { [1] = "incoming", [0] = "outgoing"})
local f_text = ProtoField.string("mqttws.text", "Text")
mqttws.fields = { f_proto, f_dir, f_text }
wsField = Field.new("websocket")
wsDataField = Field.new("data.data")
pParsed = {}
pMqttMsgIndex = {}
mqttMsgTable = {}
mqttMsgIndex = 0
function mqttws.dissector(tvb, pinfo, tree)
if wsField() ~= nil then
local dataField = wsDataField()
if dataField ~= nil then
if pParsed[pinfo.number] == nil then
pParsed[pinfo.number] = true
local mqttData = mqttMsgTable[mqttMsgIndex]
if mqttData == nil then
mqttData = dataField.range:tvb():bytes()
else
mqttData:append(dataField.range:tvb():bytes())
end
mqttMsgTable[mqttMsgIndex] = mqttData
if mqttData:len() >= 2 then
local mqttMsgLength = tonumber(mqttData:get_index(1)) + 2
if mqttMsgLength <= mqttData:len() then
pMqttMsgIndex[pinfo.number] = mqttMsgIndex
mqttMsgIndex = mqttMsgIndex + 1
end
end
end
local msgIndex = pMqttMsgIndex[pinfo.number]
if msgIndex ~= nil then
local mqttData = mqttMsgTable[msgIndex]
local mqttTvb = ByteArray.tvb(mqttData, "Reassembled mqtt data")
local mqtt = Dissector.get("mqtt")
mqtt:call(mqttTvb, pinfo, tree)
end
end
end
end
register_postdissector(mqttws)
--local websocket = Dissector.get("websocket")
--local tcp_dissector_table = DissectorTable.get("tcp.port")
--tcp_dissector_table:add(9001, websocket)
--local ws_dissector_table = DissectorTable.get("ws.protocol")
--ws_dissector_table:add("mqtt", mqttws)
- Find
C:\Program Files\Wireshark\init.lua
the file (if you have not changed the default installation directory), and add a line of code at the end of the file:
Code language: lua
copy
dofile("The path you saved\\mqttws.lua")
- Restart Wireshark
3. Usage Guide
Wireshark packet capture and analysis is usually divided into two steps, the first step is capture , the second step is analysis . The two have corresponding different selectors, so don’t confuse them.
3.1 Capture
- First select the network card through which the data flows and capture the packet:
Here I chose Adapter ....
the network card with the loopback address because my service runs on this machine; I used the capture tool port 8001
because the websocket of the mqtt service works on this port.
- Select Start to enter the capture mode:
3.2 Analysis
- Wireshark will capture multiple layers of
tcp
packets . At this time, we can use filters to directly filter out the packets we want:websocket
mqtt
mqtt