This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

analyzing protocol for a WiFi helicopter

0

I'm working on reverse engineering the protocol that's going between an iPhone app and a WiFi controlled helicopter.

It's being complicated because the app sends 18 bytes of data every .04 seconds even if the control values do not change.

I already have a filter that selects only the packets with these messages. I have two problems

  1. I get entries for packets where data was missed, I assume they were not captured. This clutters up the capture and makes it hard to read. What can I add to the filter to make it ignore the missed data and just show the successful captures?
  2. Is there any way I can export just the stream of 18 byte messages to look at with an external program?

asked 20 Jun '14, 16:57

MiloMindbender's gravatar image

MiloMindbender
1111
accept rate: 0%

Cool project! If it's TCP, click Edit -> Preferences, expand the Protocols list, find TCP, and unselect "Analyze TCP Sequence Numbers". To save just the data, right-click on any packet and select "Follow TCP Stream". In the dialog box, change the "Entire Conversation" drop-down box and select the strea (helicopter)->(wireshark). Select the ASCII radio button if you'd like, then click the Save button.

(20 Jun '14, 17:40) smp

One Answer:

0

Regarding #1:

What can I add to the filter to make it ignore the missed data

hard to tell, without an example. Is it possible to post a sample capture file somewhere (google drive, dropbox, cloudshark.org). Please add some information about the frame numbers where you have identified 'missing data'.

Regarding #2:

Is there any way I can export just the stream of 18 byte messages to look at with an external program?

Again, hard to tell, without knowing the protocol (HTTP ?). In general, you can use tshark on the CLI to print the payload of frames.

tshark -nr input.pcap -T pdml
tshark -nr input.pcap -V

These are only two generic ways to export the bytes. If you are able to post a sample capture file, we might be able to narrow it down to a better/different method.

Regards
Kurt

answered 21 Jun '14, 16:49

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%