First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

RabbitMQ/amqp not decoded

  • retag add tags

Hi - I'm using Wireshark v2.4.2 to display and decode a RabbitMQ exchange between two systems. I used tcpdump to create a capture; I did not use the '-s' option or anything else to limit the size of the packets that are captured.

Wireshark does display the packets and does not report an error. But it shows the protocol of 'TCP' for all of the packets, instead of decoding them. The exchange is received on the target system on port 5671. Knowing that the default amqp port is 5672, I used the Wireshark Analyze -> Decode As.. menu to set this decode value:

![Field       Value   Type                      Default    Current
TCP port  5671   Integer, base 10     (none)      AMQP](http://)

The TCP segment data in a PSH packet begins with: 16 03 01 00 38 01

I've found the amqp spec, but am having trouble figuring out if this is an amqp packet or not.

I tried to upload a screenshot, but I apparently need 'points'??

Suggestions, please!

Thanks tl

tlemons's avatar
3
tlemons
asked 2017-12-06 15:03:29 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

The data you displayed is a client hello, 

16 03 01 00 38 01

so the session is encrypted and you can decode the session as SSL to get it dissected

mrEEde's avatar
4k
mrEEde
answered 2017-12-06 18:50:57 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks you for this explanation. I've reviewed the Wireshark SSL information. Last question: I know that Wireshark could not decode the conversation without the private key, but why didn't Wireshark tell me that a TLS handshake was occurring? It doesn't need the private key to tell that. Thanks!

tlemons's avatar tlemons (2017-12-07 04:39:00 +0000) edit
more
  • delete

Did you try using Decode As.. to set the protocol to SSL? As it's not a "normal" port for SSL, Wireshark doesn't do that automagically.

grahamb's avatar grahamb (2017-12-07 08:03:45 +0000) edit
more
  • delete

That worked great, thanks for the suggestion! 'Forcing' port 5671 to use the SSL decoder allowed me to see that the classic TLS handshake is occurring successfully. After the handshake ends, I see dialogue to port 5671 labeled as 'Protocol' = TLSv1 and 'Info' = 'Application Data, Application Data'. Assuming I can get the private key being used, what is the correct way for me to view this aqmp over TLS conversation? Thanks for the help!

tlemons's avatar tlemons (2017-12-07 15:40:47 +0000) edit
more
  • delete

When you add a private key to the SSL preferences you can set the protocol that is being transport by SSL, in your case AMQP.

grahamb's avatar grahamb (2017-12-08 16:52:27 +0000) edit
more
  • delete

Thanks for that information. I've found that one of the RabbitMQ conversations in our tests is not using TLS (it will soon). So Wireshark should be able to decode this clear text transmission of RabbitMQ v3.5.7, but it does not decode the exchange; the packets are just identified as 'TCP'. https://www.rabbitmq.com/changelog.html seems to indicate that RabbitMQ has had amqp support for many years. So what could be causing the latest version of Wireshark to be unable to decode amqp in a RabbitMQ conversation? Thanks!

tlemons's avatar tlemons (2017-12-10 05:58:07 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer