Wireshark PTP Support
We've created a new dissector (plugin) for Wireshark to handle Picture Transfer Protocol (PTP) and Media Transfer Protocol (MTP).
Please read USB / PTP for background information, and on how to generate PCAP files. As of Wireshark 1.9.1, this plugin is not included with the main distribution.
See http://nikonhacker.com/viewtopic.php?f=2&t=708 for the latest version and support.
Linux and From Source
- Download Wireshark
- Apply Patch
There are compiled executables available for download here in the thread listed above.
At the beginning of the USB session the host will eventually send out request for the Interface DESCRIPTOR. This will set the following for PTP/MTP mode :
- bInterfaceClass = 0x06
- bInterfaceSubClass = 0x01
- bInterfaceProtocol = 0x01
Unless this packet is seen by Wireshark, it cannot know that the packet stream is in fact PTP traffic.
In practice this means you need to capture from when you plug in the camera or turn it on in order to have all the stateful information about the connection.
All support / patches / enhancement should go through the above thread.
Most of the table data comes from libgphoto2. There are scripts added in tools/usb-ptp*.pl that parse through ptp.h to create packet-usb-ptp.h. Ideally we would change libgphoto2 and this plugin so that they can share a common code base. Unfortunately, right now the two are not compilable.
Masked Value Tables
Many of the value tables in packet-usb-ptp.h are in a different format than normal value tables in Wireshark. There is a third column in every row. This extra column allows the value to apply to a specific device class. For example an operation code of 0x5000 may have two different meaning between Canon and Nikon devices. These tables are listed in the header field arrays (hf) but are not usable directly by the normal routines. There are new routines to handle the tuple-based value tables.
Not Yet Supported
- None of the device-specific response codes are further decoded right now.
- Not all the MTP object types are decoded right now