Skip to content
A Wireshark dissector for ZMTP version 3.0 and later (ZeroMQ 4 and later)
Branch: master
Clone or download
Pull request Compare This branch is 1 commit ahead, 1 commit behind whitequark:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

ZMTP Wireshark Dissector

This is a Lua dissector written for the ZMTP protocol. It supports both the "new" protocol (ZMTP version 3.0 and later), as well as the older version 2.

It supports the NULL and PLAIN authentication mechanisms.




This dissector requires Lua 5.2 or newer.

mkdir -p ~/.config/wireshark/plugins
git clone git:// ~/.config/wireshark/plugins/zmtp-wireshark


As ZeroMQ ports are inherently application-specific, you need to use "Decode As -> ZMTP" on your zeromq packets. Alternatively, subdissectors can register the ZMTP dissector on specific TCP ports to automate decoding.

You can use expression zmtp to filter packets. TCP segments are automatically reassembled.

If you get frame errors, especially when capturing on lo, the problem is that libpcap cannot capture packets over 64 KiB (relevant bug); do sudo ip link set lo mtu 65500.


This dissector supports calling subdissectors for an application-level protocol. As ZMTP does not have a generic way of specifying the inner protocol, the mapping is done using TCP ports.

A subdissector that wishes to observe ZMTP frames must register itself in the zmtp.protocol dissector table, using the TCP port as a key. Both source and dest ports are checked, so bidirectional links (request/response, for example) will need a dissector that can decode both directions.




This dissector is based on a dissector for ZMTP 2, written by Robert G. Jakabosky.

You can’t perform that action at this time.