Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

TCAP SRT incorrectly matches TC_BEGINs and TC_ENDs

From: Conall Prendergast <conall.prendergast () anam com>
Date: Wed, 24 May 2017 17:19:07 +0100
Hi All,

I have been analyzing a TCAP trace with wireshark with the tcap.srt and
tcap.persistentsrt options set to "TRUE".

This should correctly match TCAP Begins (using 2 pass analysis) with their
associated TCAP Ends, and vise-versa.

I have attached two files, "correct_matches.pcap" and
"incorrect_matches.pcap", that demonstrate some spurious behavior. These
two files are from the same feed, and "correct_matches.pcap" contains
packets 5, 11, 15, and 19 from "incorrect_matches.pcap".

"correct_matches.pcap" will correctly match packet 1 (TC_BEGIN) with packet
4 (TC_END), and packets 2 and 3 similarly, however, when these packets are
analysed with the rest of the feed (incorrect_matches.pcap), these very
same packets do not match up.

Instead, packet 5 (packet 1 from "correct_matches") matches with packet 15
(3) instead of packet 19 (4).

As you can guess, this is unexpected behavior.

So in summary, correct_maches.pcap contains:
1 => 4
2 => 3

incorrect_matches contains:
5 => 15
11 => x
x => 19

and the mapping of correct_matches to incorrect_matches is:
1 => 5
2 => 11
3 => 15
4 => 19


Any and all help is appreciated.
Thanks,
Conall

-- 


3 Custom House Plaza | IFSC | Dublin | D01 VY76 | Ireland | Tel.  +353 (1) 
291 0138 | Fax. +353 (1) 291 0131 

Asia Office - Suite 12.03, Level 12, Centrepoint North | Mid Valley City | 
59200 Kuala Lumpur | Malaysia | Tel. +603 2201 3375 

The information contained in this e-mail transmission is confidential and 
may be privileged. It is for the intended recipient only. Any views or 
opinions present are solely those of the author. If you are not the 
intended recipient you must not use, disclose, distribute, copy, print or 
rely on this e-mail. If you have received this e-mail in error, please 
immediately notify us by telephone at 353-1-2910138 or e-mail 
mailadmin () anam com and delete the email from your system

Attachment: correct_matches.pcap
Description:

Attachment: incorrect_matches.pcap
Description: 

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: