PCoIP Dissector User Guide
The PCoIP protocol has been developed by Teradici and is a somewhat opaque protocol because:
- It's proprietary and there is very little decode information available
- The payload is compressed and encrypted with AES256 and NSA Suite B ciphers
TCP Port 4172 is used during session setup, but UDP Port 4172 is used for the transport of session data. This presents a further challenge; it's not easy to detect packet loss because there is no TCP Sequence/Acknowledgement Number for analysis.
The TribeLab PCoIP Wireshark plugin extracts two useful pieces of information; the sequence number from the PCoIP Transport Header and the direction of the packet.
Above we see typical output using the plugin. The info field clearly indicates that PCoIP is in use, it shows the PCoIP Sequence Number and flags missing APDUs.
Within the Packet Detail the plugin adds a small subtree with additional detail.