Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: GPRS Conversation

From: "Mike Morrin" <Mike.Morrin () ipaccess com>
Date: Sun, 19 Sep 2010 09:10:57 +0100


From: wireshark-dev-bounces () wireshark org [mailto:wireshark-dev->bounces () wireshark org] On Behalf Of Rick Bywater
Sent: 17 September 2010 21:41
To: wireshark-dev () wireshark org
Subject: [Wireshark-dev] GPRS Conversation



I have been looking into writing code to handle GRPS conversations, but do >not know how to proceed.  The existing 
conversation code is address/port >based.  In GPRS, conversations between the GSN and mobile equipment are >identified 
by their TLLI, not the address:port which is delivering the >traffic.  To complicate matters, the TLLI changes over 
time.  I noted an >exchange on the wireshark-dev (http://www.wireshark.org/lists/wireshark->dev/200906/msg00315.html) 
which describes a similar situation with one >notable exception - mobility.  I see no means to track a mobile device 

across existing BSS-GSN "conversations."



This problem exists in other cases besides GSM, as well.  Suppose you have >a device, D, access points AP1, AP2, and 
AP3, and mobile device, MD1.  A >wireshark trace would show conversations between D and AP1, D and AP2, and >D and 
AP2, and (potentially) 3 conversations between D and MD1 as MD1 moved >between the three access points.  However, 
there is no mechanism to tie >these together.



Anyone have a suggestion on how to resolve this?


You may be able to use some of the attached code fragments which were created a while ago while I was trying to fix bug 
2857 (which I will get around to eventually).  This code creates a hash table of GPRS streams (identified by SGSN, 
TLLI, NSAPI and link direction).  It does not attempt to track TLLI changes.  There is no guarantee that it will work, 
and the TLLI/link-direction harvesting code for nsip is missing (because the nsip dissector was changed since then).

Mike
 





This message contains confidential information and may be privileged. If you are not the intended recipient, please 
notify the sender and delete the message immediately.

ip.access Ltd, registration number 3400157, Building 2020, 
Cambourne Business Park, Cambourne, Cambridge CB23 6DW, United Kingdom

Attachment: sndcp_diff.zip
Description: sndcp_diff.zip

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: