Wireshark-bugs: [Wireshark-bugs] [Bug 11665] New: Enhancement of display of Q.931 and ISUP messa

Date: Sun, 01 Nov 2015 15:50:39 +0000
Bug ID 11665
Summary Enhancement of display of Q.931 and ISUP messages in the (VoIP) calls flow diagram
Product Wireshark
Version 1.12.8
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Enhancement
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Created attachment 13965 [details]
Q.931 setup encapsulated into SIP - three endpoints in graph

Build Information:
Version 1.12.8 (v1.12.8-0-g5b6e543 from master-1.12)

Compiled (64-bit) with GTK+ 2.24.23, with Cairo 1.10.2, with Pango 1.34.0, with
GLib 2.38.0, with WinPcap (4_1_3), with libz 1.2.5, with SMI 0.4.8, with c-ares
1.9.1, with Lua 5.2, without Python, with GnuTLS 3.2.15, with Gcrypt 1.6.2,
without Kerberos, with GeoIP, with PortAudio V19-devel (built Oct 14 2015),
with
AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 3.2.15, Gcrypt 1.6.2, without AirPcap.
       Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz, with 8141MB of physical
memory.

Built using Microsoft Visual C++ 10.0 build 40219

--
Unlike with SIP, MGCP, ISUP etc. protocols, Q.931 has only a basic low-level
address (consisting of the ID of a physical p2p interface or bus, the direction
of the message on that interface/bus, and the TEI). When drawing the message
flow diagram, Wireshark uses IP address of the transport protocol (such as SIP
or H.323) as endpoint identifier for Q.931 messages, but if the transport
protocol uses no IP address (like LAPD), a single endpoint called "PSTN" is
used instead, ignoring even the network->user/user->network direction
information which is, in one form or another, available in all capture file
formats which can accommodate Q.931 over LAPD. As a consequence, all the arrows
representing Q.931 messages come from "outside the diagram" to the dashed
vertical line representing the "PSTN" endpoint, instead of running between two
vertical lines.

A secondary effect of this and the formatting of the message text related to
the arrow as described in
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11664 is that the message
name is not displayed at all.

The first attachment shows a call where Q.931 Setup is encapsulated in SIP
INVITE, so the Setup arrow goes between an IP address and "PSTN"; the second
attachment shows a call where the Q.931 is transported over LAPD and so the
arrows come from "outside" and have no text attached to them.

The third attachment is a pcapng file with a single complete Q.931 over LAPD
call.

The enhancement suggestion is:
a) if no low level address information of a transport protocol can be
associated to a Q.931 message, to create one endpoint (dashed vertical line)
for "network" and another one for "user" so that the arrows could be drawn
between two lines, and
b) if the Q.931 over LAPD messages have been captured on several physical
interfaces (in case of pcapng file), to create the two endpoints mentioned
above for each of the physical interfaces, so that it would be possible to see
from the graph on which interface a particular message has been captured
(useful for analysis of network flows).

Pavel


You are receiving this mail because:
  • You are watching all bug changes.