8

I found on the web few samples on tracking RTMP (Real Time Messaging Protocol) with Wireshark, but it doesn't work for me. All RTMPT packets rendered as basic TCP packet like this:

149 14.324999   85.115.xxx.xxx  192.168.1.20    TCP macromedia-fcs > 54557 [ACK] Seq=1 Ack=1452 Win=69 Len=0

I'm using Wireshark 1.2.8 with all protocols installed on Windows Vista.

What can i do to fix it?

Thx!

Andrew
  • 1,756
  • 3
  • 18
  • 31
  • Does RTMPT dissector in wireshark just cover RTMP or does it also have the capability to dissect RTMPS, RTMPE and other FMS protocols? – ssn Sep 05 '12 at 22:20

1 Answers1

16

WireShark relies on a few heuristics to decide how to decode a stream. One of them is the port number.

The first item to check: is the RTMP using the standard port 1935 in this capture? If not, tell WireShark how to decode it (see last step below).

The second item to check: turn on heuristics Edit → Preferences → Protocols → TCP → Try heuristic sub-dissectors first.

If all else fails, brute force: right-click one of the packets → Decode As... → RTMP.

Christian Garbin
  • 2,512
  • 1
  • 23
  • 31
  • 1
    Thanks! It works for most part of packets with second option (Try heuristic sub-dissectors first). – Andrew May 11 '10 at 14:47
  • 2
    It does not work well for me - trying to monitor an adaptive rate flash player changing bit rates and can't reliably filter all the control traffic. The advice provided has helped but not fully resolved the issue Are there any other tools out there that do work ? –  Mar 20 '11 at 18:46