Wireshark-bugs: [Wireshark-bugs] [Bug 12292] New: MQTT over SSL over port 443

Date: Fri, 25 Mar 2016 22:14:52 +0000
Bug ID 12292
Summary MQTT over SSL over port 443
Product Wireshark
Version Git
Hardware All
OS All
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Created attachment 14445 [details]
Capture of MQTT conversation with the facebook messenger server

Build Information:
git commit 731c383f5f3948f97990345cef02258d29ad7108

Wireshark 2.1.0

Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.5.1, with libpcap, with POSIX capabilities (Linux),
with libnl 3, with libz 1.2.8, with GLib 2.46.2, without SMI, with c-ares
1.11.0, with Lua 5.2, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with MIT Kerberos,
with GeoIP, with QtMultimedia, without AirPcap.

Running on Linux 4.4.5-1-ARCH, with locale C, with libpcap version 1.7.4, with
libz 1.2.8, with GnuTLS 3.4.10, with Gcrypt 1.6.5.
Intel(R) Core(TM) i5-4690 CPU @ 3.50GHz (with SSE4.2)

Built using gcc 5.3.0.
--
Commit 5eda884 added support for MQTT over SSL over port 8883, which is the
standard port. However, the facebook messenger android app has a variant of
mqtt that works over port 443, and is still identified by wireshark as http.

Attached pcap dump of a MQTT over SSL conversation (using 'whitehat' test
accounts, so nothing private in there). Used mitmproxy with SSLKEYLOGFILE to
decode SSL.

Worth noting that facebook's variant uses the version string "MQTToT" (as
opposed to "MQTT" in 3.1.1 and "MQIsdp" in 3.1), and that the packets may
appear as malformed (the CONNECT payload is zlib compressed, for example), but
their headers should decode correctly.


You are receiving this mail because:
  • You are watching all bug changes.