Garrett D'Amore wrote: > On Mar 23, 2014, at 10:23 PM, Martin Sustrik > <sustrik@xxxxxxxxxx> wrote: >> On 24/03/14 02:34, Garrett D'Amore wrote: <snip> >>> (Indeed, I’ve considered writing snoop or tcpdump extensions to >>> decode the handshake… I think this would be useful to >>> administrators trying to figure out what is going on. >> >> I once implemented a plug-in for wireshark (AMQP) and IIRC it was an >> easy enough task to do. >> >> As for SP, there are some problems though: >> >> 1. The TCP wire format is so "packed" that it's impossible to >> distinguish message boundaries unless you are following the connection >> from it's very beginning. Catching up in the middle of a stream can be >> tricky (unless you make an assumptio that messages are aligned with >> TCP packets of course). >> >> 2. Similar problem with different SP protocols: You know which one is >> used only if you sniff the beginning of TCP connection. Later on >> there's no way to tell. > > Yeah I didn’t think about that. Still, you often are sniffing at the > start of the connection. If you are catching up in the middle of the > connection, you’re hosed, but I think this is common with other protocols. > For example, web socket, even HTTP, you don’t get useful information > except during the initial handshake phase. Folks doing debugging with > these tools probably are used to this limitation. Well, that's what tools like mitmproxy are for.