Use the packet capture tool Wireshark to analyze the network behavior of IoT devices

1. Background
When we are developing the Internet of Things, it is sometimes difficult to debug devices. We need to use the network packet capture tool Wireshark to help us analyze device behavior and locate problems. Below we use a simple case to explain to you the process of using Wireshark to analyze the communication between the device and the Alibaba Cloud IoT platform.

2. Preparations
2.1 Create device
Create a product on the Alibaba Cloud IoT platform, register the device, and obtain the triplet.

2.2 Equipment simulation program
We use Nodejs to write a device simulation program on the computer, establish a connection, subscribe, publish, and disconnect.

/**
* node aliyun-iot-device.js
*/
const mqtt = require('aliyun-iot-mqtt');
//device identity triple + region
const options = {
"productKey": "Device PK",
"deviceName": "Device DN",
"deviceSecret": "Device Secret",
"regionId": "cn-shanghai"
};

//1. Establish a connection
const client = mqtt.getAliyunIotMqttClient(options);
//2. Subscribe to the topic
setTimeout(function() {
client.subscribe(`/${options.productKey}/${options.deviceName}/user/get`)
}, 3 * 1000);
//3. Publish message
setTimeout(function() {
client.publish(`/${options.productKey}/${options.deviceName}/user/update`, getPostData(),{qos:1});
}, 5 * 1000);
//4. Close the connection
setTimeout(function() {
client.end();
}, 8 * 1000);


function getPostData() {
const payloadJson = {
temperature: Math. floor((Math. random() * 20) + 10),
humidity: Math. floor((Math. random() * 20) + 10)
}
console.log("payloadJson " + JSON.stringify(payloadJson))
return JSON. stringify(payloadJson);
}

2.3 Use Wireshark to capture network packets
The IoT platform uses the MQTT protocol for communication, we only need to configure the following rules:
tcp and port 1883


2.4 Start the simulation program


3. Network packet capture analysis
After the simulation script is executed, the complete MQTT network interaction process is captured in wireshark.
For convenience, I marked the device ip as device, and the IP of Alibaba Cloud IoT connected this time remains unchanged.


3.1 Three-way handshake of TCP

The red box in the above screenshot is the three-way handshake behavior of TCP. Initiated by the device, the port used by the device is 56150.

3.2 CONNECT behavior of MQTT
The figure below shows the behavior of MQTT's Connect.
Click the Connect record, and you can see the detailed message at the bottom. Among them, client id, user name, and password are the identity information used by this CONNECT to verify the legitimacy of the device. For details, please click here.

After the identity verification is completed, the IoT platform will reply CONNACK as the response of CONNECT.


3.3 SUBSCRIBE behavior of MQTT
The figure below shows the process of a device subscribing to a topic from the IoT platform. Here the device actively subscribes to a Topic, see the red box.

The figure below shows the behavior of the IoT platform in response to device subscriptions.



3.3 PUBLISH behavior of MQTT
The figure below shows that the device sends a QoS=1 message to the IoT platform PUBLISH. In the message information, we can see the Topic and Payload corresponding to the message.


Since it is a QoS=1 message, the IoT platform will reply a PUBACK to the device.

You can also see this message log in the log service of the IoT console.



3.4 DISCONNECT behavior of MQTT
The figure below shows that the device initiates the DISCONNECT command to disconnect the MQTT connection channel.


3.5 Four waves of TCP

In the log service of the IoT console, you can also see the complete log of the device going offline, as follows.



4 Conclusion
So far, we have mastered the basic skills of using the Wireshark packet capture tool to analyze the network communication between the device and the Alibaba Cloud IoT platform. I hope it will be helpful to everyone in IoT development.