Analyzing the PTP/IP Protocol with Wireshark
During the last two months, I worked on adding Canon PTP/IP support to the CineRemote app. During this time, I spent many hours poking around packages in Wireshark. While I was already used to Wireshark from previous projects, until then, I only used half of its potential.
In this article, I will describe how to use capture filters, display filters and colorization rules to ease the analyzation process.
Capture Filters
The PTP/IP Protocol relies on TCP, so you need to capture the traffic on your local network to analyze it. If you start Wireshark and select the Wifi interface without any filters, there is a lot of noise from other participants.
Since we are only interested in the messages sent between our host machine, and the camera, we can specify a capture filter to only capture packages from and to a specific host.
Just replace the IP-Address with the address of your camera, and you are ready to go.
Display filters
Once you have captured a session, you can use display filters to see only the packages you are interested in. Compared to capture filters, display filters allow more advanced filtering. Check out the official Wireshark documentation for a complete list of all available filters.
Colouring Records based on Rules
Although display filters work great for narrowing down the number of entries, context is often important. Therefore, it can be helpful to see all packages but add colouring rules to make scanning the captured data more efficient.
Luckily, you can use the same filters you already know since this feature uses display filters to decide how to colourize an entry.
On MacOS, you can modify the colouring rules under View -> Coloring Rules.
Analyzing network communication for reverse engineering purposes can be tedious at times. However, getting more acquainted with the tools you already know can help, as these filtering and colourization features prove.