how do I see my command + why does wireshark not show certain connections?

asked 2020-10-11 07:21:51 +0000

ilan
1

I bought a TP Link tapo camera and want to use a FOSS (Free Open Source Software) program, ZoneMinder to control it.

I can do the streaming via ZoneMinder but the tilt/pan/zoom doesn't work. I decided that Wireshark is the ideal tool to see what is going on. The camera uses port 554 for both streaming and TPZ and there are naturally hundreds of packets to look through.

I decided to use port 555 which would be refused so that I could pick up a much smaller number of packets. The error message I pick up in the ZM log is:

2020-10-11 09:28:25 zmcontrol_2 933 ERR Error check failed: '500 Can't connect to 192.168.0.18:555 (Connection refused)' for URL http://192.168.0.18:555/decoder_contr...

When I used 192.168.0.18:554/decoder_control.cgi?command=1&user=admin&pwd=admin (i.e. the proper port of 554 instead of the bogus 555) I would get a reasonable error message

Error check failed: '405 Method Not Allowed' for URL http://192.168.0.18:554/decoder_contr...

My intention in using Wireshark is to see the string "decoder_control.cgi?command=0&user=admin&pwd=" passed in a given packet. I don't have 60 points so I can't upload an image to show you what I see, but I do see the few packets with port 555, and nowhere inside any of those packets do I see the command which is being passed.

The second question I want to ask is why I can't see the traffic between my camera and the IP which controls the camera, not from inside Zone Minder but rather from the smart phone app. All I see when using the smart phone app is a couple of packets broadcasting the message - who is using 192.168.0.18? No traffic on the streaming and no packets on TPZ. Why should I be blind to what is going on in my home LAN from a specific source?

edit retag flag offensive close merge delete

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2020-10-12 07:55:40 +0000

hugo.vanderkooij
76 ●182 ●4

Actualy if you do a packet capture and just use the right mouse clcik and use follow tcp session you can look at just that session that the packet belongs to. And as a bonus you get the HTTP conversation in red and blue in a seperate window.

That might just be what you are looking for.

edit flag offensive delete link

Comments

Thanks. I tried follow tcp session and then used the Find button to look for 'command'. It found no matches, so I looked for 'decoder' and again no matches. The entire conversation is 1812kB, which looks somewhat long for such a simple command. I would sort of expect to find '192.168.0.18:554/decoder_control.cgi?command=1&user=admin&pwd=admin' or at least part of that string somewhere in the packet. My main reason for doing this is to see what command the tapo server gives and how it is different from my command. So I need to find something which makes sense.

ilan ( 2020-10-12 08:21:38 +0000 )edit

add a comment

answered 2020-10-11 17:39:52 +0000

Chuckc
2858 ●5 ●567 ●19

All good (TCP) conversations start with a handshake. (Or an elbow bump in 2020).
The wiki page HTTP briefly mentions this:

a connection is initiated via TCP to the web server (SYN; SYN,ACK; ACK).

Check the http.cap sample capture or the first minute of this video. Without an open TCP connection, things don't proceed to sending HTTP and the browser shows ERR_CONNECTION_REFUSED.

For the second question on capture, it might help to make a diagram. (Wired network examples)
Assuming your phone has a wireless connection, look at WLAN capture and Monitor mode which is very much YMMV depending on the OS you're trying to make the capture with.

edit flag offensive delete link

Comments

Thanks for your explanation. I'll have to do some experimenting, but I certainly have enough to look into the second part of my question.

The first part is still not clear to me. The port for the camera on 192.168.0.18 is 554. I put in the bogus 555 just to reduce the number of packets I would see. Still even with the bogus port, I'm pretty sure I constructed the packet with all the proper information so that the camera could have answered if the port had been correct. I wanted to see if I could get a hint of the command string "decoder_control.cgi?command=0&user=admin&pwd=" SOMEWHERE inside the packet which was sent.

Obviously the camera isn't listening on port 555 so it refused connection. If I knew where to look for the command string, I could sift through the mess on ...(more)

ilan ( 2020-10-12 06:17:21 +0000 )edit

First of all my OS is Ubuntu 20.04. I have a router provided by my ISP. My camera is on a wireless connection to the router and this computer (running Wireshark) uses a wired connection. My goal is to capture packets from the tapo server to the camera, using this computer.

I use a capture filter of host=192.168.0.18, which is the camera address. I think I understand from the documentation you pointed to that the router itself may send the tapo traffic directly to the camera ip and this computer may not see it.

I looked at the router base 192.168.0.1 to see if I need to change something there. I don't see any promiscuous mode. The closest thing I see 'WAN blocking' which is checked. I'm not sure what it really means, but I don't think it is ...(more)

ilan ( 2020-10-12 09:36:36 +0000 )edit

I decided to do a simpler experiment. I am streaming from the tapo camera to this desktop computer. I can capture the camera via a capture filter of host 192.168.0.18. Then I took my laptop which also is connected via a wireless connection to my LAN and loaded Wireshark on it.

From my laptop I tried to see the streaming from the camera to the desktop. All I can pick up are occasional packets from the camera to the tapo server at 239.255.255.250. These are of type IGMPv2 which is a Membership group report. None of the commands from the desktop to the camera, nor the streaming from the camera to the desktop, can be seen on the laptop.

It seems like my ISP router is filtering out all the traffic which isn't a broadcast command. This is in spite of the promiscuous ...(more)

ilan ( 2020-10-12 10:42:41 +0000 )edit

If the connection is not encrypted, you can do a text search for the command string:

frame contains "decoder_control"

Chuckc ( 2020-10-12 14:41:38 +0000 )edit

I noticed that the protocol is https and Wireshark is not the same application as ZoneMinder, so it is not surprising that I cannot see the string. Thanks to your generous help as well as your superb documentation, I was able to learn more about what Wireshark can and cannot do. The router documentation explained why I wasn't seeing any packets from the tapo server, so all my questions are now clear to me. Thanks again.

You have a nice product and the user needs to know how to use it.

ilan ( 2020-10-13 05:18:55 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

how do I see my command + why does wireshark not show certain connections?

2 Answers

Comments

Comments

Your Answer

Question Tools

Stats

how do I see my command + why does wireshark not show certain connections? edit

2 Answers

Comments

Comments

Your Answer

Question Tools

Stats

how do I see my command + why does wireshark not show certain connections?