Ask Your Question
0

How to decode msgpack over TCP?

asked 2024-12-23 20:40:31 +0000

j4ll gravatar image

updated 2024-12-24 05:22:14 +0000

Guy Harris gravatar image

Using latest wireshark, I have a .pcapng containing lots of TCP packets that contain msgpack.

How can I decode the msgpack and convert it to json?

Both windows or linux will do, command line or ux or scripting, whatever works. Thank you

edit retag flag offensive close merge delete

Comments

Looks like the msgpack dissector was meant to be called from the dxl dissector.
Any chance your captures include dxl data?

https://gitlab.com/wireshark/wireshar...

"indeed there is msgpack dissector in Wireshark, but that can only be called from the Data Exchange Layer protocol ..."

Chuckc gravatar imageChuckc ( 2024-12-23 23:34:35 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2024-12-24 10:18:38 +0000

SYN-bit gravatar image

On 16278: Unable to dissect UDP msgpack I found:

tshark -r - -T fields -e data udp.port==60003 | xxd -p -r | msgpack2json -c

Decoding a message to JSON needs 3 steps:

  1. Output the msgpack from Wireshark as hexdata, which is easy for UDP as each message will be exactly one packet. How are the msgpack objects in your pcap file sent over TCP? Are they contained in one packet or are they segmented? And is there just one message per TCP stream or are there a sequence of messages? Are you able to share a pcap or is there sensitive information in it?
  2. Transform the hex data back to raw (binary) data with xxd -p -r
  3. Convert the binary msgpack data to JSON with msgpack2json
  4. (optional) add a loop around the tshark command to process each message separately

So IMHO the biggest challenge is not converting to JSON, it's extracting each message out of the TCP stream(s) in your pcap file. It might be easy (if each msgpack message is one TCP segment) or can be hard (if there is a continuous stream of msgpack messages). That all depends on the way the messages are sent in your case.

edit flag offensive delete link more
0

answered 2024-12-23 23:23:15 +0000

Chuckc gravatar image

There is a sample capture attached to 16278: Unable to dissect UDP msgpack

Right-click "Data" line in the Packet Details and set "Decode As..." to "msgpack".

image description

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-12-23 20:40:31 +0000

Seen: 24 times

Last updated: 8 hours ago