CODEWITHSUNDEEP
wiresharkstompwireshark-dissector
Tito
Tito

Reputation: 2300

Wireshark STOMP protocol dissector

I have a an spring app that talks to a rabbitmq server. The message exchange is occuring trough STOMP protocol. My question is why is not my STOMP message not decoded. I have uploaded and install the STOMP plugin for it. https://github.com/ficoos/wireshark-stomp-plugin (stomp.lua)

And still i see only i susspect the UTF-8 encoded message, that is not beein represented propertly. An image showing the probelm

Is there a way i can recode/discect exactlly what is inside the message?

enter image description here

enter image description here

Addition 25 June 2015: I thing i found my answer i.e. the web socket protocol has something called "masking key", which basically says that the traffic from client to server should be encoded with that random masking key value. As far as i understand that is done in order to avoid problems with proxy's. Now i believe that the problem is related to the wireshark implementation i.e. wireshark decodes the payload correctly i.e. the clear text part of the Payload field is to be found in the field Unmask Payload, but when following the TCP Streap the UI most likely takes not the Unmask Payload value but the "Payload" value i.e. the values before the xor of the masking key is applied. I would really appreciate if someone that knows wireshark can confirm that. Thus that will meant that's a bug or feature (i am not sure) in Wireshark

https://www.rfc-editor.org/rfc/rfc6455#section-5.3

Addition J Jul.

Added link to an example trace file https://yadi.sk/d/E1a6bPhfhfUAf

Upvotes: 1

Views: 1743

Answers (1)

hadriel
hadriel

Reputation: 651

Looking at the stomp.lua Lua plugin you gave a link for on github, it looks like it was only written to handle STOMP messages running natively on TCP, and even for that you'd have to set the TCP port number for it to decode, in Edit->Preferences->Protocol->STOMP (or right-click and do "Decode as...").

But your screenshot is of a websocket connection, and yes that uses a masking key... but Wireshark can actually de-mask it. Wireshark will show you both the masked and unmasked payload in the packet details pane. But the stomp.lua plugin won't dissect anything inside of that, for the reason I said earlier.

If you want help getting stomp.lua to be usable in a websocket, I'd suggest posting the question on ask.wireshark.org, or emailing [email protected]. In either case, it would help a lot if you could put a sample capture file (like the one in your screenshot) somewhere and providing a link to it.

Upvotes: 2

Related Questions