[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-dev
Subject: [Wireshark-dev] Wireshark bug when dissect the MC interface trace
From: Hui Wei <hui.wei () ericsson ! com>
Date: 2010-07-21 8:06:19
Message-ID: D12839161ADD3A4B8DA63D1A134D084024CFC28DD1 () ESGSCCMS0001 ! eapac ! ericsson ! se
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
When I use the wireshark to dissect the MC interface trace, it regard each IP packet \
as one message. However, there are several upper layer messages enbedded in the same \
one IP packet.
Therefore, when I use the following Tshark command to dissect that, it can only \
generate 1 gsm message: tshark -r MC_SAMPLE_LOGS -R "gsm_a.dtap_msg_mm_type > 0 or \
gsm_a.dtap_msg_cc_type > 0 or gsm_a.bssmap_msgtype > 0 or sccp.message_type > 0" -T \
fields -E header=y -e frame -e frame.time_epoch -e ip.src -e ip.dst -e sccp.slr -e \
sccp.dlr -e sccp.message_type -e gsm_a.dtap_msg_mm_type -e gsm_a.dtap_msg_cc_type -e \
gsm_a.bssmap_msgtype -e gsm_a.imsi > result_MO.txt
As below:
frame frame.time_epoch ip.src ip.dst sccp.slr sccp.dlr \
sccp.message_type gsm_a.dtap_msg_mm_type gsm_a.dtap_msg_cc_type \
gsm_a.bssmap_msgtype gsm_a.imsi Frame 1: 1170 bytes on wire (9360 bits), 1170 \
bytes captured (9360 bits) 1271940351 10.37.11.26 10.37.19.18 \
0xa80003 0x0a16ec 0x05 0x08 0x55 4.60002E+14
The protocol hierarchy is show as below:
The original dump packet is attached as below:
Could anybody help me to repair that?
Thanks!
Best Regards!
Wei Hui
Ericsson (China) Communications Company Ltd. Nanjing Branch
6F No.2 Building Nanjing IC Design Park,
No.89 Shengli Road. Jiangning Economic & Technology Development Zone
Nanjing, P.R.China
Post Code: 211100
Tel: +86 25 87128000
Fax: +86 25 87128001
Mobile: +86 13951612835
E-mail: hui.wei@ericsson.com
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 \
2px solid; } --></style> </head>
<body>
<font face="Arial, sans-serif" size="2">
<div>Hi,</div>
<div> </div>
<div>When I use the wireshark to dissect the MC interface trace, it regard each IP \
packet as one message. However, there are several upper layer messages enbedded in \
the same one IP packet.</div> <div> </div>
<div>Therefore, when I use the following Tshark command to dissect that, it can only \
generate 1 gsm message:</div> <div>tshark -r MC_SAMPLE_LOGS -R \
"gsm_a.dtap_msg_mm_type > 0 or gsm_a.dtap_msg_cc_type > 0 or \
gsm_a.bssmap_msgtype > 0 or sccp.message_type > 0" -T fields -E header=y \
-e frame -e frame.time_epoch -e ip.src -e ip.dst -e sccp.slr -e sccp.dlr -e \
sccp.message_type
-e gsm_a.dtap_msg_mm_type -e gsm_a.dtap_msg_cc_type -e gsm_a.bssmap_msgtype -e \
gsm_a.imsi > result_MO.txt</div> <div> </div>
<div>As below:</div>
<table border="1" width="1664" style="border:1 solid; border-collapse:collapse; \
margin-left: -1pt; "> <col width="231">
<col width="145">
<col width="98">
<col width="98">
<col width="82">
<col width="82">
<col width="165">
<col width="224">
<col width="214">
<col width="205">
<col width="114">
<tr height="20">
<td><font face="Arial">frame</font></td>
<td><font face="Arial">frame.time_epoch</font></td>
<td><font face="Arial">ip.src</font></td>
<td><font face="Arial">ip.dst</font></td>
<td><font face="Arial">sccp.slr</font></td>
<td><font face="Arial">sccp.dlr</font></td>
<td><font face="Arial">sccp.message_type</font></td>
<td><font face="Arial">gsm_a.dtap_msg_mm_type</font></td>
<td><font face="Arial">gsm_a.dtap_msg_cc_type</font></td>
<td><font face="Arial">gsm_a.bssmap_msgtype</font></td>
<td><font face="Arial">gsm_a.imsi</font></td>
</tr>
<tr height="20">
<td><font face="Arial">Frame 1: 1170 bytes on wire (9360 bits), 1170 bytes captured \
(9360 bits)</font></td> <td><font face="Arial">1271940351</font></td>
<td><font face="Arial">10.37.11.26</font></td>
<td><font face="Arial">10.37.19.18</font></td>
<td><font face="Arial">0xa80003</font></td>
<td><font face="Arial">0x0a16ec</font></td>
<td><font face="Arial">0x05</font></td>
<td><font face="Arial">0x08</font></td>
<td><font face="Arial"> </font></td>
<td><font face="Arial">0x55</font></td>
<td><font face="Arial">4.60002E+14</font></td>
</tr>
</table>
<div><font face="Arial"> </font></div>
<div>The protocol hierarchy is show as below:</div>
<div><img src="cid:b65a66bb-2661-454c-8d01-1948f4d92a2c"> </div>
<div> </div>
<div> </div>
<div>The original dump packet is attached as below:</div>
<div> </div>
<div>Could anybody help me to repair that?</div>
<div> </div>
<div>Thanks!</div>
<div> </div>
<div> </div>
<div>Best Regards! </div>
<div> </div>
<div>Wei Hui </div>
<div> </div>
<div>Ericsson (China) Communications Company Ltd. Nanjing Branch </div>
<div>6F No.2 Building Nanjing IC Design Park, </div>
<div>No.89 Shengli Road. Jiangning Economic & Technology Development Zone</div>
<div>Nanjing, P.R.China </div>
<div>Post Code: 211100 </div>
<div> </div>
<div>Tel: \
+86 25 87128000 </div> \
<div>Fax: \
+86 25 87128001 </div> \
<div>Mobile: \
+86 13951612835 </div> \
<div>E-mail: \
hui.wei@ericsson.com </div> <div> </div>
<div> </div>
</font>
</body>
</html>
["Picture (Device Independent Bitmap) 1.jpg" (image/jpeg)]
["packet_MC.dump" (application/octet-stream)]
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic