Search code examples
wiresharktsharkmsgpackwireshark-dissector

How to dissect UDP msgpack using Wireshark/tshark?


Since v3.0.0 Wireshark supports msgpack. I have a capture file containing msgpack messages encapsulated in UDP I want to dissect. The problem is that when I'm running:

tshark -r 1.pcap -d udp.port==60003,msgpack

I get following message:

tshark: Protocol "msgpack" isn't valid for layer type "udp.port"
tshark: Valid protocols for layer type "udp.port" are:

The list of supported protocol contains msgpack:

tshark -G protocols | grep msgpack
Message Pack    MsgPack msgpack

Here is the link to example capture file: https://drive.google.com/file/d/1qZO-WKgTValghMjC4kM56B-M1FlYg5C2/view?usp=sharing


Solution

  • It is not possible to decode as msgpack in latest 3.07 tshark & Wireshark (i.e. this looks like a bug). If you are feeling virtuous, you can file one.

    You can still access the data layer that comes after layer 4. We can use shell magic to do the equivalent of decoding the layer with the file you provided:

    # Unix-like (Macos/Linux/BSD) systems ship with xxd.
    # WSL on Windows will also have it.
    bash$ tshark -r msgpack.pcap -T fields -e data | xxd -p -r | msgpack2json && echo
    {"message_type":"complete_caching","generation":123992}
    

    Here, we

    • Print the data field with tshark as ASCII hex
    • Use xxd to convert from text hex to bin hex
    • Use msgpack2json from msgpack-tools to convert the binary data back to JSON.