On 2/21/06, Roger Mahler <roger.mahler@xxxxxxx> wrote:
> Hi,
>
> I have Iur and IuCS traffic in the same capture file, i.e. both run on
> SSCOP, MTP3B, SCCP. On IuCS the layer above SCCP is RANAP, on Iur it is
> RNSAP. I managed to decode the IuCS by making use of the USER DLT (set to
> 147 in my trace), and then set the Special Encapsulation to SSCOP and the
> Payload to "mtp3". Is there another way?
To be correct you should use "sscf-nni" instead of "mtp3". It works
because sscf-nni frames have mtp3 if they are larger than 4 bytes, if
they are control frames (<4bytes) mtp3 will fail to decode them.
> What do I have to do to get the Iur frames decoded?
The most SCCP DT1 packets don't convey information regarding the user
protocol by themselves ethereal needs to see the setup of the call to
be able to decode the rest of the call.
RNSAP does not yet register to SCCP, few lines of code are needed for
this, the dissector is 39757 lines!
The sample you sent unfortunatelly does not have the CR/CC pair in
which conveys information regarding the user. So that would not be
decoded even if RNSAP registered to SCCP. I don't know whether there
is a good way to (heuristically) identify RNSAP.
If you send us (or privately to me) a capture file with the CR/CC pair
I can add RNSAP to SCCP subdissectors in short time.
> In may trace:
> - Frame 1,2,3,4,11 are RANAP (IuCS)
> - Frame 5,6,7,8,9,10 are RNSAP (Iur)
>
> As you may know the RNSAP messages can get pretty long so that they don't
> fit into one SCCP frame anymore. The SCCP layer gets segmented (as it is the
> case in my trace with frame 7,8,9). Does Ehtereal do a reassembly of the
> sgemented SCCP?
SCCP desegmentation was added a while ago for XUDT messages. not yet
for DT1. Again a sample with these fragmented DT1 messages (and the
setup) would help anyone would try to add this.
Luis.
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan