Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: subprotocols

From: Pascal Quantin <pascal.quantin () gmail com>
Date: Tue, 11 Nov 2014 20:19:01 +0100
2014-11-11 20:13 GMT+01:00 Charles Smith <cts.private.yahoo () gmail com>:


That did the job!  Thank you

  5052    2.651163    127.0.0.1    127.0.0.1    LTE RRC UL_DCCH/NAS-EPS
245    RRCConnectionSetupComplete  Attach request  PDN connectivity
request  MAC=0x00000000 (19 bytes data)  [24-bytes]


(note that the first time I did it, I got this:

   Unhandled exception ("tvbuff.c:634: failed assertion "tvb &&
tvb->initialized"", group=1, code=4)
   Aborted (core dumped)

but it worked on restart

I'm curious - the RLC configuration also has a line like;

  Call RRC dissector for CCCH pdus

That's not checked, but it's doing it anyway.  Do I not understand that
right, or is just an old check box?



It's supposed to be checked by default and is useful for CCCH based PDUs
like RRC UL CCCH (RRC Connection/Reestablishment Request) DL CCCH (RRC
Connection / Reestablishment Setup / Reject), PCH (Paging), BCCH BCH (MIB)
and BCCH DL SCH (SIBs).



Thanks alot,

Charles

www.creative-telcom-solutions.de

On Tue, Nov 11, 2014 at 7:01 PM, Pascal Quantin <pascal.quantin () gmail com>
wrote:


Hi Charles,

2014-11-11 14:53 GMT+01:00 Charles Smith <cts.private.yahoo () gmail com>:


Hi Pascal,

You helped me a lot, thank you.  My dissector does almost everything I
want.

Of course, there's just more thing ...  :)

I get RRC decoded magically on CCCH, but as soon as it switches to SRB1,
it recognizes the AM mode but not the contents, e.g. the following is an
RRCConnectionSetupComplete:

5052    2.651163    127.0.0.1    127.0.0.1    RLC-LTE    245    [UL]
[AM] UEId=1 SRB:1  [DATA] (P) sn=0     [24-bytes]

and there's just raw contents.

Everything else has been done so wonderfully, I suspect that I'm just
not doing something right here.

Any help is appreciated...



You want to go to Edit -> Preferences -> Protocols -> RLC-LTE and check
the box "Call PDCP dissector for SRB PDUs"
Then go to Edit -> Preferences -> Protocols -> PDCP-LTE and check the box
"Show unciphered Signalling-Plane data as RRC"

Note that ciphered PDCP PDUs can also be deciphered if you know in
ciphering key, if no handover / reestablishment happens (no key derivation
is supported) and if you use AES (SNOW3G and ZUC are not supported dur to
patents issues).

Pascal.






On Wed, Oct 15, 2014 at 1:48 PM, Charles Smith <
cts.private.yahoo () gmail com> wrote:


Great, thanks alot!

On Wed, Oct 15, 2014 at 11:07 AM, Pascal Quantin <
pascal.quantin () gmail com> wrote:




2014-10-15 10:41 GMT+02:00 Charles Smith <cts.private.yahoo () gmail com>
:


Hello Pascal,

I don't find any .c files under (ubuntu) /usr/share/wireshark - is
this only available to a dissector that's linked-in to the executable?  Or
can I access it via lua, as well?  Or, do I only need to get the source
tarball in order to study the example?  Would it be wiser to ditch my lua
code and do it in c?

TIA
cts



Hi,

this is the first time you mention that you are doing a Lua plugin.
But I guess internal dissectors can be called from Lua also (note: I have
never written any Lua plugin myself but I know there is quite a lot of
documentation on http://wiki.wireshark.org/Lua and it seems you can
retrieve the MAC LTE dissector by using Dissector.name("mac-lte") and call
it with dissector::call()).
If you want to have a look at packet-catapult-dct2000.c, you can find
the latest version of the file here:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-catapult-dct2000.c;h=30c0d6df954155f3fde7f546abd21357099010f7;hb=refs/heads/master
Depending on the Wireshark version you are using, you might consider
browsing to the right version by clicking on the summary link and selecting
the right tag or head.

Pascal.



On Wed, Oct 15, 2014 at 9:13 AM, Charles Smith <
cts.private.yahoo () gmail com> wrote:


Thank you.

On Tue, Oct 14, 2014 at 10:34 PM, Pascal Quantin <
pascal.quantin () gmail com> wrote:


2014-10-14 22:15 GMT+02:00 Charles Smith <
cts.private.yahoo () gmail com>:


Is it built in, I just have to get the linkage right?  Or do I
have to fetch it from somewhere?



Yes it's a built-in dissector. Please have a look at
packet-catapult-dct2000.c for an example on how to call a sub dissector via
call_dissector_only() function (it is easier than using the UDP framing
protocol which is more suitable when calling Wireshark from an external
program).



On Tue, Oct 14, 2014 at 7:22 PM, Pascal Quantin <
pascal.quantin () gmail com> wrote:




2014-10-14 17:33 GMT+02:00 Charles Smith <
cts.private.yahoo () gmail com>:


Hi.

I have created a dissector for our tunnel protocol.  I have the
feeling that if I want to decode a payload protocol, say LTE MAC protocol,
I'd use the proto() statement to hang that into my tree and some library
code somewhere would do the rest of the decoding ... but I can't find these
libraries (e.g. http://wiki.wireshark.org/MAC-LTE).  Can
someone set me straight?

cts



Hi Charles,

LTE MAC dissector is a bit specific as it requires some meta data
allowing it to know how to decaode the payload. You have 2 ways to
configure it:
- either look at epan/dissectors/packet-catapult-dct2000.c and
check how it is configuring those meta data (mac_lte_info structure
attached to each frame)
- or use the UDP framing format as described in
epan/dissectors/packet-mac-lte.h file. Some sample code demonstrating how
to use it can be found here: http://wiki.wireshark.org/MAC-LTE

Regards,
Pascal.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <
wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org
?subject=unsubscribe





___________________________________________________________________________
Sent via:    Wireshark-users mailing list <
wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org
?subject=unsubscribe





___________________________________________________________________________
Sent via:    Wireshark-users mailing list <
wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org
?subject=unsubscribe







___________________________________________________________________________
Sent via:    Wireshark-users mailing list <
wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org
?subject=unsubscribe





___________________________________________________________________________
Sent via:    Wireshark-users mailing list <
wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org
?subject=unsubscribe







___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org



Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org
?subject=unsubscribe





___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org
?subject=unsubscribe




___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org
?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: