IoT Bytes

Bits and Bytes of IoT

Capturing and Analysing MQTT Packets

Pradeep Singh | 21st April 2016


You can get a better understanding of MQTT Protocol by capturing the MQTT Packets on your machine and analysing the pattern of communication between Client and Broker. To do this all you need is Wireshark Application (Download Link). Once you have Wireshark installed on your machine simply select the Network Interface and start capturing the traffic.

You can also go through following video to get quick idea about MQTT Traffic capture and analysis –

Download Links for Python Scripts and Captured Traffic –

1. Publisher Python Script

2. Subscriber Python Script

3. Captured Packets (Default, tcpdumpRedHat 6.1 tcpdump, Windows)

Some Good To Know Points –

1. The MQTT protocol is based on TCP/IP and both client and broker need to have a TCP/IP stack.

2. Both Publisher and Subscriber are considered as MQTT Client.

3. The MQTT connection is always established between a client and the broker, no client is connected to another client directly.

4. Once the connection is established, the broker will keep it open as long as the client doesn’t send a disconnect command or it looses the connection.

5. MQTT Supports devices behind a NAT Device (For Ex- Router or Firewall).

6. The client identifier (short ClientId) is an identifier of each MQTT client connecting to a MQTT broker.

7. The Keep Alive is a time interval, the clients commits to by sending regular PING Request messages to the broker. The broker responds back with PING Response and this mechanism will allow both sides to determine if the other one is still alive and reachable.

8. The connection is initiated through a client sending a “Connect Command” message to the broker. The broker responds back with a “Connect Ack” and a status code. In the following table you can see all return codes at a glance.

Return Code Return Code Response
0 Connection Accepted
1 Connection Refused, unacceptable protocol version
2 Connection Refused, identifier rejected
3 Connection Refused, Server unavailable
4 Connection Refused, bad user name or password
5 Connection Refused, not authorized

9. To see all the other low level details about MQTT you can refer to MQTT Specifications Page.


6 thoughts on “Capturing and Analysing MQTT Packets

  1. Hi, That is a good tutorial. However can you explain how to make wireshark recognise MQTT . cause packets for me are seen as TCP not MQTT


  2. This worked great!

    However, any idea what would cause the “Message Published…” to appear, but not the “Connected to MQTT Broker”?

    Also, when I first tried I got many messages that I didn’t send! Somone else must be learning too! Interestingly, if I use sub-topics with mqtt-spy, i.e. subscribing to “/ben/SampleTopic”, then in the python script, the topic must be formatted as “ben/SampleTopic”, without the leading ‘/’!

    Finally, is it generally not good practice to have both the publisher and subscriber in one python file?



    1. I am glad it worked for you.

      You may have triggered the Python Scripts before starting the capture process on Wireshark. Wireshark may also miss some of the packets if CPU utilization and network traffic is very high while trying to capture the packets. Give it another try and you may be able to capture missing packets.

      As far as subtopics are concerned, leading “/” should not cause any issue. It will just create an additional topic level. I never faced any issue with or without leading “/” (tested it with Mosquitto, not sure about other brokers).

      For simple use cases you can have both publisher and subscriber in same file; it may be a better approach in terms of efficiency. However for complex implementations it makes more sense to have publisher and subscriber in different files, as it will make the code more manageable and easy to troubleshoot.


  3. Hi,

    I am using wireshark on centos 7, last version seems to be 1.10.14, unfortunately, I meet several issue.
    first is that mqtt protocol is not supported, so I use the filter that you prpose on above message “tcp.port q 1883”, and I can see only mqtt protocole
    second issue, is that I can see only ACK message !
    third problem is that with this filter, I cannot see the content decoded in mqtt.

    It works with wireshark on windows but not on linux machine !

    can you tell me if there is solutions ?



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: