The MQTT protocol is the most commonly used communication protocol in the Internet of Things communication protocol, so a full understanding of this protocol is very important. But there is no need to be afraid. After all, the mqtt basic protocol is also another layer of encapsulation based on the TCP protocol. Today is to use a computer to connect to the server for byte analysis of the mqtt protocol.
This article is only published on CSDN Qingyun Shuangqing and my personal blog, and it appears elsewhere
1. Description
1、本次抓包分享仅仅是做简单的技术分享,形成一个大的框架,后续的可以自行继续探究。
2、本次分享仅仅是做一个相关的分享,为的是理解协议的实现,没有太多的实际意义。
3、由于mqtt协议用的时间很长了,但是一直没有去深究它的具体的实现,想真正探究一下。
4、本次讲解可能存在的问题以及解释不到的地方,希望可以包容,个人能力有限。
5、本笔记写于2022-02-07 By Gear Long.
2. Thanks
These links are some Chinese materials. This analysis is also based on version 3.1.1. The latest version has been updated to version 5.0, but the security of version 5.0 has increased by a dimension, so let’s not talk about it if it is more difficult.
- MQTT 3.1.1 protocol Chinese version | MQTT Chinese website
- Chapter 2 – MQTT Control Message Format
- MQTT protocol 3.1.1 Chinese translation, IoT, Internet of Things
3. Need to prepare
- One CH340 serial debugging module
- ESP8266 module (burn AT firmware)
Burn AT firmware capable of MQTT communication
- A computer with Windows 10 operating system
- Install the latest version of wireshark software
Wireshark is a powerful packet capture tool with built-in multiple network protocols, which can analyze multiple network communication protocols.
- mqtt test software ( mqttx is recommended ) or use the online mqtt test platform
4. Protocol analysis
以下为分析的内容:
CONNECT to the server
【Fixed Header】
CONNECT报文的固定的报头
byte1 MQTT 报文类型
0001 0000
byte2 剩余的长度
整理:10 ??
一共两个字节
剩余长度是暂时未知的,因此需要等待后面的全部数据得到后才能计算
Calculation of the remaining length field:
【剩余长度】 = 【可变报头的长度】 + 【有效载荷的长度】
然后将10进制转换成16进制
[variable header]
可变报头是由四个部分组成的【协议名】 + 【协议级别】+ 【连接标志】+【保持连接】
1. [Agreement Name]
Protocol name: The protocol name is a UTF-8 encoded string representing the protocol name MQTT. Subsequent versions of the MQTT specification will not change the offset and length of this string.
[协议名]
byte1 长度MSB(值0) 0000 0000
byte2 长度LSB(值4) 0000 0100
byte3 'M' 0100 1101
byte4 'Q' 0101 0001
byte5 'T' 0101 0100
byte6 'T' 0101 0100
整理:00 04 4d 51 54 54
一共6个字节
2. [Protocol level]
The client represents the revision of the protocol as an 8-bit unsigned value.
[协议级别]
byte1 0000 0100
整理:04
一共是一个字节
3. 【Connection logo】
The connection flag byte contains some parameters used to specify the behavior of the MQTT connection. It also indicates whether the field is present in the payload.
[连接标志]
本次连接设定的有:(经过抓包后反推的)
User Name Flag + Password Flag + Clean Session (此出说明一下)
byte1 1100 0010
整理:c2
一共一个字节
4. 【Keep connected】
It refers to the maximum time interval allowed to be idle between the moment when the client completes the transmission of a control packet and the moment when the next packet is sent.
[保持连接]
byte1 保持连接 Keep Alive MSB 0000 0000
byte2 保持连接 Keep Alive LSB 0011 1100
整理:00 3c
一共是两个字节
0x3c转换成十进制就是60s
若是设置成100s 那么对应的十六进制就是 0x64
一个示例
可变报头的转换结果:
00 04 4d 51 54 54 04 c2 00 3c
【Payload】
1. [Client ID]
[客户端ID]
本次的客户端ID设置为:12345ABCD
byte1 数据长度MSB 0000 0000
byte2 数据长度LSB 0000 1001
byte3~ 数据内容 依据密码的实际内容 31 32 33 34 35 41 42 43 44
转换:00 09 31 32 33 34 35 41 42 43 44
一共11个字节
2. 【User Name】
[用户名]
本次设置的用户名是:12345ABCD
byte1 数据长度MSB 0000 0000
byte2 数据长度LSB 0000 1000
byte3~ 数据内容 依据密码的实际内容 31 32 33 34 35 41 42 43
转换:00 08 31 32 33 34 35 41 42 43
一共10个字节
3. 【User Password】
The payload is to load some content, including username, password, etc.
Corresponds to the connection flag above.
[用户密码]
本次的密码设置为:123Abc
byte1 数据长度MSB 0000 0000
byte2 数据长度LSB 0000 0110
byte3~ 数据内容 依据密码的实际内容 31 32 33 41 62 63
转换:00 06 31 32 33 41 62 63
一共8个字节
全部整理
固定报头:
10 ?? = 10 27
?? = 10 + 11 +10 +8 = 39
十进制的39转换成为十六进制的0x27
可变报头:
00 04 4d 51 54 54 04 c2 00 3c (10)
有效载荷:
客户端:00 09 31 32 33 34 35 41 42 43 44 (11)
用户名:00 08 31 32 33 34 35 41 42 43 (10)
密码:00 06 31 32 33 41 62 63 (8)
总的数据:
10 27 00 04 4d 51 54 54 04 c2 00 3c 00 09 31 32 33 34 35 41 42 43 44 00 08 31 32 33 34 35 41 42 43 00 06 31 32 33 41 62 63
Then, return to the calculation of the remaining length from the beginning.
[WireShark packet capture results]
The capture is the first packet, the packet 
capture result is exactly the same as our own analysis result
发送注意事项
- Select to send in hexadecimal is HEX
- don't word wrap
- Both uppercase and lowercase letters can be sent
- Sent
[CONNECT server confirmation response]
The server sends a CONNACK packet in response to the CONNECT packet received from the client, and the first packet sent by the server to the client must be a CONNACK.
Packet capture connection return code
captures the following returned packets, the second one
confirms the format of the connection request
[返回码]
byte1 MQTT控制报文类型 0010 0000
byte2 剩余长度(值为2) 0000 0010
byte3 0000 0000
byte4 0000 0000
整理:20 02 00 00
一共4个字节,查询返回码后是连接已经被服务器接受
PUBLISH publishes a message
After the above operation of connecting to the server, the following message publishing or subscribing messages can be continued.
【Fixed Header】
[固定报头]
QoS等级值为00 表示至多分发一次
byte1 MQTT控制报文类型(值为3) 0011 0000
byte2 剩余长度 ??
转换: 30 ??
一共两个字节
[Quality of service level QoS]
[variable header]
The variable header contains the subject name and message identifier in that order.
1. [Theme Name]
The part required in the MQTT protocol, the name of the topic to be published
[主题名字]
本次发布主题的名字:/python/AQAQ
byte1 Length MSB (值为0) 0000 0000
byte2 Length LSB (值为12) 0000 1100
byte3~ 主题名字 2f 70 79 74 68 6f 6e 2f 41 51 41 51
转换:00 0c 2f 70 79 74 68 6f 6e 2f 41 51 41 51
一共14个字节
2. 【Message identifier】
Only when the QoS level is 1 or 2, the packet identifier (Packet Identifier) field can appear in the PUBLISH message. This time, the QoS level is set to 0, so there is no packet identifier.
一个示例:
【Payload】
The payload contains the application message to be published
[发布消息体的内容]
本次发布消息的内容为:20220206ABC
byte1~ 32 30 32 32 30 32 30 36 41 42 43
整理:32 30 32 32 30 32 30 36 41 42 43
一共11个字节
全部整理:
固定报头:
30 ?? = 30 19
?? = 14 + 11 = 25
十进制的25转换成16进制的0x19
可变报头:
00 0c 2f 70 79 74 68 6f 6e 2f 41 51 41 51 (14)
有效载荷:
32 30 32 32 30 32 30 36 41 42 43 (11)
总的数据:
30 19 00 0c 2f 70 79 74 68 6f 6e 2f 41 51 41 51 32 30 32 32 30 32 30 36 41 42 43
[WireShark packet capture results]
wireshark packet capture
Analysis of the first mqtt protocol
【PUBLISH release response】
This operation uses QoS 0, so there is no response.
The rest of the quality level tests can be tested by themselves.
SUBSCRIBE subscription news
Subscribe to news, waiting to receive information
【Fixed Header】
byte1 MQTT 控制报文类型(值为8) 1000 保留位值为2 0010
byte2 剩余长度 ??
整理:82 ??
一共2个字节
[variable header]
Variable header contains client identifier
[可变报头]
抓包的可变报头字节和文章写的有出入,因此按照抓包的结果为准
byte1 报文标识符 MSB (0) 0000 0000
byte2 报文标识符 LSB (10) 0000 0001
整理:00 01
一共2个字节
一个示例:
【Payload】
The payload of the SUBSCRIBE packet contains a list of topic filters, which represent the topics that the client wants to subscribe to
[有效载荷]
本次订阅的主题为:/python/QAQA
byte1 长度 MSB 0000 0000
byte2 长度 LSB 0000 1100
byte3~ 主题过滤器列表 2f 70 79 74 68 6e 2f 51 41 51 41
byte~ 服务质量要求 设置为QoS0 0000 0000
整理:00 0c 2f 70 79 74 68 6e 2f 51 41 51 41 00
一共15个字节
全部整理:
固定报头:
82 ?? = 82 11
?? = 2 + 15 = 17
十进制的17 转换成16进制的0x11
可变报头:
00 01
有效载荷:
00 0c 2f 70 79 74 68 6e 2f 51 41 51 41 00 (15)
总的数据:
82 11 00 01 00 0c 2f 70 79 74 68 6e 2f 51 41 51 41 00
[Wireshark packet capture results]
Find the subscription request,
you can see the packet capture result is the same as the analysis
【SUBSCRIBE subscription response】
The server sends a SUBACK message to the client to confirm that it has received and is processing the SUBSCRIBE message
[固定报头]
byte1 MQTT控制报文类型 1001 保留位 0000
byte2 剩余长度 0000 0011
整理:90 03
一共2个字节
[可变报头]
byte1 0000 0000
byte2 0000 0001
整理:00 01
一共2个字节
[报文有效载荷格式]
byte1 0000 0000
整理:00
查看规则为最大QoS 0
一共1个字节
总的数据:
90 03 00 01 00
capture data
Server subscription response packet capture
PINGREQ heartbeat request
Inform the server that the client is still alive, ask the server to confirm whether the server is still alive, and confirm that the network is unblocked
【Fixed Header】
[固定报头]
byte1 MQTT控制报文类型(值12) 1100 0000
byte2 剩余长度 0000 0000
整理: c0 00
一共2个字节
[variable header]
none
【Payload】
none
[PINGRESP response]
The server tells the client that I am alive
[响应的固定报头]
byte1 MQTT 控制报文类型 (13) 1101 0000
byte2 剩余长度0 0000 0000
整理:d0 00
一共2个字节
at last
You can use wireshark packet capture software to have a deep understanding of the mqtt protocol
Every time you send a message to the server successfully, you will receive a reply from the server