Ask Your Question
0

RabbitMQ/amqp not decoded

asked 2017-12-06 15:03:29 +0000

tlemons gravatar image

Hi - I'm using Wireshark v2.4.2 to display and decode a RabbitMQ exchange between two systems. I used tcpdump to create a capture; I did not use the '-s' option or anything else to limit the size of the packets that are captured.

Wireshark does display the packets and does not report an error. But it shows the protocol of 'TCP' for all of the packets, instead of decoding them. The exchange is received on the target system on port 5671. Knowing that the default amqp port is 5672, I used the Wireshark Analyze -> Decode As.. menu to set this decode value:

![Field       Value   Type                      Default    Current
TCP port  5671   Integer, base 10     (none)      AMQP](http://)

The TCP segment data in a PSH packet begins with: 16 03 01 00 38 01

I've found the amqp spec, but am having trouble figuring out if this is an amqp packet or not.

I tried to upload a screenshot, but I apparently need 'points'??

Suggestions, please!

Thanks tl

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-12-06 18:50:57 +0000

mrEEde gravatar image

The data you displayed is a client hello,

16 03 01 00 38 01

so the session is encrypted and you can decode the session as SSL to get it dissected

edit flag offensive delete link more

Comments

Thanks you for this explanation. I've reviewed the Wireshark SSL information. Last question: I know that Wireshark could not decode the conversation without the private key, but why didn't Wireshark tell me that a TLS handshake was occurring? It doesn't need the private key to tell that. Thanks!

tlemons gravatar imagetlemons ( 2017-12-07 04:39:00 +0000 )edit

Did you try using Decode As.. to set the protocol to SSL? As it's not a "normal" port for SSL, Wireshark doesn't do that automagically.

grahamb gravatar imagegrahamb ( 2017-12-07 08:03:45 +0000 )edit

That worked great, thanks for the suggestion! 'Forcing' port 5671 to use the SSL decoder allowed me to see that the classic TLS handshake is occurring successfully. After the handshake ends, I see dialogue to port 5671 labeled as 'Protocol' = TLSv1 and 'Info' = 'Application Data, Application Data'. Assuming I can get the private key being used, what is the correct way for me to view this aqmp over TLS conversation? Thanks for the help!

tlemons gravatar imagetlemons ( 2017-12-07 15:40:47 +0000 )edit

When you add a private key to the SSL preferences you can set the protocol that is being transport by SSL, in your case AMQP.

grahamb gravatar imagegrahamb ( 2017-12-08 16:52:27 +0000 )edit

Thanks for that information. I've found that one of the RabbitMQ conversations in our tests is not using TLS (it will soon). So Wireshark should be able to decode this clear text transmission of RabbitMQ v3.5.7, but it does not decode the exchange; the packets are just identified as 'TCP'. https://www.rabbitmq.com/changelog.html seems to indicate that RabbitMQ has had amqp support for many years. So what could be causing the latest version of Wireshark to be unable to decode amqp in a RabbitMQ conversation? Thanks!

tlemons gravatar imagetlemons ( 2017-12-10 05:58:07 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-12-06 15:03:29 +0000

Seen: 1,860 times

Last updated: Dec 06 '17