Data capture tool: see what optimization has been made in the protocols of competing products! Audio and video tools

Vx Search for “gjZKeyFrame” Follow “Keyframe Keyframe” to get the latest audio and video technical articles in time.

Data packet capture is a common method for business testing and competitive product analysis. Good data packet capture tools can help common audio and video business scenes such as live broadcast and short video, and in many cases, the result can be twice as good with half the effort. Here are two common data capture tools:

• Charles
• Wireshark

1, Charles

Charles[1] is the most commonly used HTTP/HTTPS data capture tool on macOS. Here are some of its features:

• SSL proxy is supported. Requests for analyzing SSL can be intercepted.
• Supports flow control. Can simulate slow networks and long latency requests.
• AJAX debugging is supported. Json or XML data can be automatically formatted for easy viewing.
• Supports AMF debugging. You can format Flash Remoting or Flex Remoting information for easy viewing.
• Supports resending network requests, facilitating back-end debugging.
• Network request parameters can be modified.
• Support network request interception and dynamic modification.
• Check HTML, CSS, and RSS content for COMPLIANCE with W3C standards.

Here we introduce the key configurations:

1) Mac side proxy Settings

After Charles is installed, select Proxy → macOS Proxy from the menu bar. The system HTTP/HTTPS Proxy will be automatically set to local Proxy. The default port is 8888.

2) Set the HTTPS certificate on the Mac

On the Charles menu bar, choose Help > SSL Proxying > Install Charles Root Certificate. The Charles Proxy CA Certificate is automatically imported and Keychain Access is enabled.

Double-click the newly imported certificate to display the certificate information page, set Secure Sockets Layer (SSL) to Always Trust, close the page, and enter the password to update the system Trust Settings.

3) HTTPS Settings on the Mac

From the Charles menu bar select Proxy -> SSL Proxy Settings… On the SSL Proxying TAB, select Enable SSL Proxying and add the domain name port for packet capture.

In this way, HTTPS data can be parsed.

4) iPhone terminal agent setting

To perform HTTP/HTTPS packet capture on aN iPhone, ensure that the iOS and Mac devices are on the same LAN.

Then, set the iOS HTTP proxy: Open the WIFI Settings of the iOS device, add the proxy, set the IP address to the Mac LAN address, and set the port number to the default proxy port 8888 mentioned above.

Mac LAN addresses can be obtained in Charles from the menu bar Help → Local IP Address.

After setting, Access the data link on the iOS device. Charles pops up the Access Control confirmation dialog box and selects Allow to capture HTTP packets.

5) HTTPS Settings on iPhone

If you want to do HTTPS packet capture on your iPhone, you also need to set it on your phone.

First, select Help → SSL Proxying → Install Charles Root Certificate on a Mobile Device or a Remote Browser from the menu bar.

Use Safari to access CHLS. Pro/SSL on an iOS device as prompted. Safari will download the certificate and ask you to install it.

Go to Settings → General → About this machine → Certificate Trust Settings and enable full trust on the Charles certificate installed in the previous step.

Next, access the HTTPS data link on your iOS device and you can start grabbing HTTPS packages.

When using Charles to capture packets, we may encounter a situation where HTTPS data cannot be resolved. Why is this?

As shown in the following figure, when we cannot parse the HTTPS data by capturing the packet:

Prompt display:

SSL Proxying not enabled for this host: enable in Proxy Settings, SSL locations
Copy the code

This is because we did not add the corresponding domain name and port, just do the following:

On the menu bar, choose Proxy -> SSL Proxy Settings… In the SSL Proxying TAB, you can add the domain name port for packet capture.

2, Wireshark

Charles is good at capturing HTTP/HTTPS requests, but not for RTMP, DNS, TCP, and UDP. In this case, Wireshark[2] can be used. Here are some of its features:

• Supports hundreds of protocols, such as HTTP, RTMP, DNS, TCP, UDP, and is constantly updated.
• Supports real-time packet capture and offline analysis.
• Supports multiple platforms, running on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and many other platforms.
• Support for powerful display filters.
• Supports various VoIP analysis functions.
• Supports reading and writing a variety of different captured file formats, such as: Tcpdump (libpCap), Pcap NG, Catapult DCT2000, Cisco Secure IDS Iplog, Microsoft Network Monitor, Network General Sniffer, etc.
• Supports instant decompression of captured gzip compressed files.
• Support real-time data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, token ring, frame relay, FDDI, etc.
• Supports decryption of many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2.
• Support for applying coloring rules to packet lists for fast, intuitive analysis.
• The output can be exported to XML, PostScript, CSV or plain text.

Here we introduce the basic configuration process and common packet capture examples:

2.1 Wireshark Installation and Configuration

1) Wireshark download and install

To install the Wireshark, download the Mac installation package from the Wireshark official website [3].

Note that the other two PKGS in the figure below also need to be installed:

After the Wireshark is successfully installed, the following page is displayed:

This screen lists the network cards used by the current system. Click on any of them to start listening.

2) Mobile phone connection configuration

To use Wireshark to capture iPhone data, the iPhone data must first be transmitted through the Mac OS. This can be done with RVICTL, which is a tool that can connect devices to capture packets.

Remote Virtual Interface Tool starts and stops a remote packet capture instance for any set of attached mobile devices. It can also provide feedback on any attached devices that are currently relaying packets back to this host.
Copy the code

We can use the following command to connect a device:

$ rvictl -s <iPhone UDID> 
Copy the code

Alternatively, you can use the following command to disconnect a device:

$ rvictl -x <iPhone UDID> 
Copy the code

Before using the RVICTL tool, however, you usually need to install:

$ cd /Applications/Xcode.app/Contents/Resources/Packages/
$ open .
Copy the code

Double click on the install MobileDevice. PKG and MobileDeviceDevelopment. PKG.

On Mac OS 10.15.0 or later, note that the path of the rvictl command has changed, and you need to configure:

Add '/Library/Apple/usr/bin' to the '/etc/paths' file. After saving the Settings, restart the terminal.Copy the code

After the preceding operations are complete, use it again

$ rvictl -s <iPhone UDID> 
Copy the code

You can launch a virtual network interface named RVI0 (if you have multiple iphones, the numbers add up, e.g., RVI1, RVI2, etc.).

Wireshark = Wireshark = Wireshark

Double click to see the data capture.

2.2 example of packet capture

2.2.1 TCP three-way packet capture

To review the basics of the TCP three-way handshake and four-way wave:

The Wireshark is used to capture packets.

The following figure shows the packet captured for the first handshake. The client (172.16.146.107) sends the packet to the server (203.55.2.249). The Sequence number of the SYN packet is 0.

The following figure shows the packet captured by the second handshake. The server (203.55.2.249) sends the packet to the client (172.16.146.107). The Sequence number of the SYN + ACK packet sent is 0. The Acknowledgement number is 1.

The following figure shows the packet capture data of the third handshake. This packet is sent from the client (172.16.146.107) to the server (203.55.2.249). The Acknowledgement number in the data of the ACK packet sent is 1.

2.2.2 RTMP handshake and protocol control message capture

The following is the packet capture of the live RTMP push stream data:

Handshake C0+C1, Handshake C2, Handshake S0+S1+S2 Connect (), createStream(), publish() are Command messages sent by the client. Set Chunk Size, Window Acknowledgement Size and Set Peer Bandwidth are Protocol Control Messages sent by clients. The Audio Data and Video Data are called Data messages.

1) Handshake process

During the handshake, the RTMP protocol does not specify the transmission order of the six messages, but the implementer of the RTMP protocol must ensure the following:

• The client sends blocks C0 and C1 to begin the handshake.
• The client MUST wait to receive S1 before sending C2.
• The client MUST wait to receive S2 before sending other data.
• The server MUST wait for C0 before sending S0 and S1, or MAY wait for C1.
• The server MUST wait until C1 to send S2.
• The server MUST wait for C2 to send other data.

Based on the captured packet data, the implementation here does not comply with this rule. The client sends Handshake messages with Handshake C0+C1 and Handshake C2, and the server sends Handshake messages with Handshake S0+S1+S2.

2) Set Chunk Size Protocol control messages

The Set Chunk Size protocol controls messages in the RTMP protocol.

1. Set Chunk Size Message Type is 1.

2. Protocol control messages generally use block headers of type 0.

3. Protocol control messages generally use reserved block flow ID 2.

4. The format of Chunk data defined by RTMP protocol is:

+--------------+----------------+--------------------+--------------+ | Basic Header | Message Header | Extended Timestamp | Chunk Data | +--------------+----------------+--------------------+--------------+ | | |<-------------------  Chunk Header ----------------->|Copy the code

4.1 For Basic Header, protocol control messages generally use reserved block stream ID 2, while block stream IDS between 2 and 63 will use 1-byte format. So the format of the Basic Header used by the Set Chunk Size protocol to control messages will be the following:

   0 1 2 3 4 5 6 7
  +-+-+-+-+-+-+-+-+
  |fmt|   cs id   |
  +-+-+-+-+-+-+-+-+
 Chunk basic header 1
Copy the code

Where, the corresponding FMT field value is 0, indicating that the block header of type 0 is used. The CS ID field value is 2, which is the block flow ID that uses the protocol to control message retention.

4.2 In the Message Header part, protocol-controlled messages will use the block Header format of type 0. Therefore, the block Header format of Set Chunk Size protocol-controlled messages is as follows:

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | timestamp | message length| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | message length (cont) |message type id| msg stream id | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | message stream id (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Chunk Message Header - Type 0Copy the code

Where, the corresponding timestamp field value is set according to the situation; The value of the message length field is 4, indicating that the Set Chunk Size message is 4 bytes long. The value of the message type ID field is 1, indicating a Set Chunk Size message. The value of the Message Stream ID is set accordingly.

4.3 The Extended Timestamp part is not available here.

4.4 Chunk Data: The format of the Set Chunk Size control message in RTMP is as follows:

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| chunk size (31 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Copy the code

Where, the chunk size field is the value of the block size we set. Notice the little endian order here.

Next, let’s take a look at the Set Chunk Size message block we captured:

The data (hexadecimal) of the 16-byte Set Chunk Size message is as follows:

02 00 00 00 00 04 01 00 00 00 00 00 00 00 00 10 00

Among them:

• Chunk Type: 0. The corresponding FMT field is 0.
• Chunk Stream ID: 2. The corresponding CS ID field is 2. The block type and block flow ID are 1 bytes together.
• Timestamp: 0. The corresponding timestamp field is 0.
• Message Length: 4. The corresponding Message Length field is 4, indicating that the message payload length is 4 bytes.
• Message Type: 1. The corresponding Message Type ID field is 1.
• Message Stream ID: 0. The corresponding Message Stream ID field is 0.
• Chunk Size: 4096. The corresponding chunk size field is0x0001 = 2 ^ 12 = 4096, indicating that the block size value is 4096 bytes.

Wireshark: Wireshark: Wireshark: Wireshark: Wireshark: Wireshark

The resources

[1]Charles: www.charlesproxy.com/

[2]Wireshark: www.wireshark.org/

[3] Wireshark’s official website to download page: www.wireshark.org/download.ht…

Recommended reading

“FFmpeg tools: Audio and Video development with it, quick @ your brother to see”

Visual Audio and Video Analysis Tools: A great collection of tools to use and forward to Your brother