Debugging UPnP / DLNA via Wireshark

wireshark xml packet-sniffer upnp

12,146

Solution 1

look at this sample of PS3 <--> XP

http://www.braham.org/playfile.txt

filter 'tcp.port == 2869 && http.response' and
right click decode as HTTP
all the http that has: 'Content-Type: text/xml' in their header show the xml just fine

if you have code that send xml in http without say so in the header, it's not nice...

(in the this sample only "/ContentDirectory/scpd.xml" is being sent without content type)

Solution 2

Wireshark can reassemble packets to show you a complete view of a stream. Have a look at the docs. This will help you to look at the XML. It wont provide an analysis specific to DLNA.

If you want a nice view of the XML, I dont think Wireshark will do it directly, but if you copy / paste it in any good XML editor, it should do the trick. Even saving the XML as a fiel and opening it with Firefox or IE will do the trick.

12,146

Mikeage

Programming in one form or another (if BASIC counts) since 1986; Linux user (but not on the desktop) since 1993.

Updated on September 17, 2022

Comments

Mikeage over 1 year

Is there any way to parse / interpret the XMLs sent as part of a DLNA / UPnP using Wireshark, or any other network sniffer?

I can get the raw packets, but it would be nice to see them parsed, to make debugging easier.
- user3789902 over 13 years
  
  why do you need to use UPnP? i've never been much of a fan, allowing devices to circumvent a packet filter by sending unauthenticated packets seems some what dangerous.
- Guillaume over 13 years
  
  @user37899 : Opening firewall ports is only one aspect of UPnP. As the OP speaks of DLNA, I think he is using it to share media. This doesnt leave your local network, so it is mostly safe.
- Mikeage over 13 years
  
  Guillaume is correct.
- Mikeage over 13 years
  
  BTW, why vote to close? Leave comments if you have a constructive suggestion... [and make sure you know what DLNA means, and that your dislike of UPnP-IGD is an opinion, but not a fact (or relevant)]
Mikeage over 13 years

I've used follow stream, but parsing XML is not pleasant when there are no CRs/LFs as line endings (which, while ugly, is technically acceptable). A "beautifier" would be very nice.
Mikeage over 13 years

I know the protocol(s) fairly well, but I can't seem to get it to show the packets in a clear format. It's either reading hex dumps and the text column, or a long string. Follow TCP helps, but it still can be fairly ugly (especially without CR/LFs). Some way to display XML cleanly (with indentation, "collapse", etc) would be very nice.
Philip over 13 years

@Mikeage, it's more than technically acceptable, it's also efficient. Paste it into a text file and open it in FireFox/IE, it'll show up in a tree view.
Mikeage over 13 years

I don't think we should be too worried about saving 1 byte (2 for Windows, but Unix would be a better standard) when we're talking about XML!
morgant over 13 years

Is there a way to run the results of "TCP Follow" through HTML Tidy?
Guillaume over 13 years

@Mikeage You would be amazed how much you gain by suppressing whitespace in a typical XML document. Yes, that's by supressing all whitespace, not just CR/LF.
Mikeage over 13 years

No where near as much you'd get if the protocol used gzip ;) I'm not actually arguing that UPnP shouldn't suppress whitespace [my normal job is C coding for embedded devices; trust me, I value performance and memory...], and indeed, I wouldn't want the implementation to add whitespace. I would like an easy way to do it in wireshark...
Denys over 13 years

This is most likely the problem since Wireshark doesn't treat traffic over TCP port 2869 as HTTP (UPnP) by default. You can add 2869 to the list of HTTP ports permanently via "Edit→Preferences→Protocols→HTTP→TCP Ports". (BTW, playfile.txt is a pcap file; it should probably have a .pcap extension).
Mikeage over 13 years

the decode as HTTP worked much better than I thought I remember. It also handles the XML nicely ;)