2

Is there any way to parse / interpret the XMLs sent as part of a DLNA / UPnP using Wireshark, or any other network sniffer?

I can get the raw packets, but it would be nice to see them parsed, to make debugging easier.

Mikeage
  • 2,731
  • 6
  • 26
  • 37
  • why do you need to use UPnP? i've never been much of a fan, allowing devices to circumvent a packet filter by sending unauthenticated packets seems some what dangerous. – The Unix Janitor Oct 14 '10 at 08:55
  • @user37899 : Opening firewall ports is only one aspect of UPnP. As the OP speaks of DLNA, I think he is using it to share media. This doesnt leave your local network, so it is mostly safe. – Guillaume Oct 14 '10 at 09:35
  • Guillaume is correct. – Mikeage Oct 14 '10 at 12:41
  • BTW, why vote to close? Leave comments if you have a constructive suggestion... [and make sure you know what DLNA means, and that your dislike of UPnP-IGD is an opinion, but not a fact (or relevant)] – Mikeage Oct 14 '10 at 12:45

3 Answers3

4

look at this sample of PS3 <--> XP

http://www.braham.org/playfile.txt

  1. filter 'tcp.port == 2869 && http.response' and
  2. right click decode as HTTP
  3. all the http that has: 'Content-Type: text/xml' in their header show the xml just fine

if you have code that send xml in http without say so in the header, it's not nice...

(in the this sample only "/ContentDirectory/scpd.xml" is being sent without content type)

Fruch
  • 156
  • 2
  • 1
    This is most likely the problem since Wireshark doesn't treat traffic over TCP port 2869 as HTTP (UPnP) by default. You can add 2869 to the list of HTTP ports permanently via "Edit→Preferences→Protocols→HTTP→TCP Ports". (BTW, playfile.txt is a pcap file; it should probably have a .pcap extension). – Gerald Combs Jan 10 '11 at 20:18
  • the decode as HTTP worked much better than I thought I remember. It also handles the XML nicely ;) – Mikeage Jan 11 '11 at 11:54
  • The sample file is no longer available! – sebix Oct 04 '15 at 15:18
1

Wireshark can reassemble packets to show you a complete view of a stream. Have a look at the docs. This will help you to look at the XML. It wont provide an analysis specific to DLNA.

If you want a nice view of the XML, I dont think Wireshark will do it directly, but if you copy / paste it in any good XML editor, it should do the trick. Even saving the XML as a fiel and opening it with Firefox or IE will do the trick.

Guillaume
  • 1,073
  • 5
  • 12
  • 24
  • I've used follow stream, but parsing XML is not pleasant when there are no CRs/LFs as line endings (which, while ugly, is technically acceptable). A "beautifier" would be very nice. – Mikeage Oct 14 '10 at 12:41
  • @Mikeage, it's more than technically acceptable, it's also efficient. Paste it into a text file and open it in FireFox/IE, it'll show up in a tree view. – Chris S Oct 14 '10 at 15:19
  • I don't think we should be too worried about saving 1 byte (2 for Windows, but Unix would be a better standard) when we're talking about XML! – Mikeage Oct 14 '10 at 16:30
  • 1
    Is there a way to run the results of "TCP Follow" through [HTML Tidy](http://tidy.sourceforge.net/)? – morgant Oct 14 '10 at 16:56
  • @Mikeage You would be amazed how much you gain by suppressing whitespace in a typical XML document. Yes, that's by supressing all whitespace, not just CR/LF. – Guillaume Oct 15 '10 at 06:56
  • No where near as much you'd get if the protocol used gzip ;) I'm not actually arguing that UPnP shouldn't suppress whitespace [my normal job is C coding for embedded devices; trust me, I value performance and memory...], and indeed, I wouldn't want the implementation to add whitespace. I would like an easy way to do it in wireshark... – Mikeage Oct 15 '10 at 08:26
0

Well, wireshark or MS sniffer should dissect UPnP packets, and probably DLNA too.

Having packets dissected as a tree of information helps but it might not be trivial to see what's really happening there, and might require you to learn a bit about the protocols in order to debug the problems you may be having.

Have patience.

LatinSuD
  • 841
  • 1
  • 8
  • 15
  • I know the protocol(s) fairly well, but I can't seem to get it to show the packets in a clear format. It's either reading hex dumps and the text column, or a long string. Follow TCP helps, but it still can be fairly ugly (especially without CR/LFs). Some way to display XML cleanly (with indentation, "collapse", etc) would be very nice. – Mikeage Oct 14 '10 at 12:43