AMF decoding example

Question

i am trying to read some flex/amf traffic, but the lack of proper documentation / examples making it really hard.

Can someone please walk me through the decoding of the following rtmp/amf3 packet:

0x43, 0x00, 0x68, 0xcd, 0x00, 0x01, 0x33, 0x11, 0x00, 0x05, 0x00, 0x40, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x11, 0x0a, 0x81, 0x13, 0x4f, 0x66, 0x6c, 0x65, 0x78, 0x2e, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x69, 0x6e, 0x67, 0x2e, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x73, 0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x69, 0x6e, 0x67, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x0d, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x13, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x0f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x17, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x13, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x49, 0x64, 0x11, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x15, 0x74, 0x69, 0x6d, 0x65, 0x54, 0x6f, 0x4c, 0x69, 0x76, 0x65, 0x13, 0x74, 0x69, 0x6d, 0x65, 0xc3, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x09, 0x62, 0x6f, 0x64, 0x79, 0x01, 0x06, 0x29, 0x6c, 0x69, 0x73, 0x74, 0x41, 0x6c, 0x6c, 0x50, 0x72, 0x61, 0x63, 0x74, 0x69, 0x63, 0x65, 0x47, 0x61, 0x6d, 0x65, 0x73, 0x0a, 0x0b, 0x01, 0x21, 0x44, 0x53, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x54, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x04, 0x3c, 0x15, 0x44, 0x53, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x06, 0x11, 0x6d, 0x79, 0x2d, 0x72, 0x74, 0x6d, 0x70, 0x73, 0x09, 0x44, 0x53, 0x49, 0x64, 0x06, 0x49, 0x42, 0x45, 0x32, 0x34, 0x31, 0x32, 0x33, 0x34, 0x2d, 0x31, 0x45, 0x31, 0x39, 0x2d, 0x30, 0x33, 0x43, 0x33, 0x2d, 0x39, 0x30, 0x34, 0x43, 0x2d, 0x32, 0x31, 0x36, 0x33, 0x36, 0x36, 0x30, 0x41, 0x42, 0x34, 0x37, 0x46, 0x01, 0x06, 0x17, 0x67, 0x61, 0x6d, 0x65, 0x53, 0x65, 0xc3, 0x72, 0x76, 0x69, 0x63, 0x65, 0x06, 0x49, 0x31, 0x34, 0x43, 0x30, 0x46, 0x42, 0x38, 0x30, 0x2d, 0x46, 0x37, 0x43, 0x34, 0x2d, 0x42, 0x42, 0x34, 0x42, 0x2d, 0x31, 0x46, 0x32, 0x34, 0x2d, 0x34, 0x39, 0x36, 0x32, 0x38, 0x30, 0x42, 0x38, 0x39, 0x33, 0x42, 0x38, 0x01, 0x04, 0x00, 0x04, 0x00, 0x09, 0x01, 0x01

My Attemps:

0x43 - 0100 0011 : [01] - type 1 = rtmp header will be 7 bytes. Stream ID - 3, will be in this single byte.

Also managed to read the following with shifting the UTF 1 bit to get the length:

0x4f: flex.messaging.messages.RemotingMessage

0x0d: source

0x13: operation

0x0f: headers

0x17: destination

0x13: messageId

0x11: clientId

0x15: timeToLive

Here my guessing stops, "time" / "stamp" does not seem to work. Of course i am failing to understand how all the other bytes are encoded (objects / arrays etc);

Answer 1

I'd start by reading

AMF0

AMF3

Some more examples can be found on Wikipedia.

And then the RTMP Specification which you probably won't need.

Next, you could look into the source code of FluorineFX. That got me started to understand things. Sources FluorineFX. What I did was setting breakpoints in the FluorineFX source code and then making a call from a Flex application. Then I could step throught the FluorineFX source code to understand things (with next to me the AMF specifications).

The specifications are hard to read, but they are really all you need to parse the bytes.

Maybe also have a look at this JavaScript AMF project.

Answer 2

0x43, 0x00, 0x68, 0xcd, 0x00, 0x01, 0x33, 0x11

1byte+7bytes RTMP header data [0]

0x00, 0x05, 0x00, 0x40, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05

Flex magic bytes, something to do with invoke version, id, etc

0x11

start of AMF3 data

0x0a.....

AMF3 object, and regular AMF3 encoding [1]

Note about RTMP, it chunks the AMF data to minimum 128 bytes, which will be followed by a single header byte (not part of AMF), eg 0xc3 in above example.

Answer 3

Use Charles to parse the AMF! http://www.charlesproxy.com/documentation/additional/amf/