Exploring the PTP/IP Protocol

Analyzing the PTP/IP Protocol with Wireshark

During the last two months, I worked on adding Canon PTP/IP support to the CineRemote app. During this time, I spent many hours poking around packages in Wireshark. While I was already used to Wireshark from previous projects, until then, I only used half of its potential.

In this article, I will describe how to use capture filters, display filters and colorization rules to ease the analyzation process.

Capture Filters

The PTP/IP Protocol relies on TCP, so you need to capture the traffic on your local network to analyze it. If you start Wireshark and select the Wifi interface without any filters, there is a lot of noise from other participants.

Since we are only interested in the messages sent between our host machine, and the camera, we can specify a capture filter to only capture packages from and to a specific host.

Filter packes by IP host

Just replace the IP-Address with the address of your camera, and you are ready to go.

Display filters

Once you have captured a session, you can use display filters to see only the packages you are interested in. Compared to capture filters, display filters allow more advanced filtering. Check out the official Wireshark documentation for a complete list of all available filters.

The following filters proved to be helpful:
# Display only PTP/IP packages but filter out GetEventData or Okay
ptpip && ptpip.opcode not in {0x9116, 0x2001}

# Display only communication with a specific IP address in case
# you forgot to set a capture filter.
ip.src == || ip.dst ==

# Display only operation requests
ptpip.pktType == 0x00000006

Colouring Records based on Rules

Although display filters work great for narrowing down the number of entries, context is often important. Therefore, it can be helpful to see all packages but add colouring rules to make scanning the captured data more efficient.

Luckily, you can use the same filters you already know since this feature uses display filters to decide how to colourize an entry.

On MacOS, you can modify the colouring rules under View -> Coloring Rules.

I used the following filters for colouring the package entries:
# Highlight GetEventData requests
ptpip.opcode == 0x9116

# Highlight OperationRequests
ptpip.pktType == 0x00000006

# Highlight GetLiveViewImage requests
ptpip.opcode == 0x9153

# Highlight SetPropertyValue requests
ptpip.opcode == 0x9110

Analyzing network communication for reverse engineering purposes can be tedious at times. However, getting more acquainted with the tools you already know can help, as these filtering and colourization features prove.