Wireshark-dev: Re: [Wireshark-dev] gsm_map dissector question

From: "Abhik Sarkar" <sarkar.abhik@xxxxxxxxx>
Date: Mon, 26 Mar 2007 12:30:37 +0300
Hi Anders,

Thanks for your reply. Attached are sample captures. The MSUs are
syslog encapsulated, so you need to be running SVN rev 21109 or
higher. Decode UDP destination port 7890 as syslog and you will see
the MTP3 and higher layers.

example1.cap : A simple MAPv2 mt-fsm showing up as mo-fsm.
example2.cap : The gsm_map dissector throwing up a BER decode error
because it thinks there are some extra invalid field beyond the
sm-RP-UI of the mo-fsm, but the extra field is actually the
more-messages-to-send flag in a MAPv2 mt-fsm.

I had one more example, but I can't find it anymore. I will send it on
if I do find it.

Best regards,
Abhik.

On 3/26/07, Anders Broman (AL/EAB) <anders.broman@xxxxxxxxxxxx> wrote:
Hi,
If you could supply a sample trace we could see what can be done.
Best regards
Anders

________________________________

From: wireshark-dev-bounces@xxxxxxxxxxxxx on behalf of Abhik Sarkar
Sent: Mon 3/26/2007 9:49 AM
To: wireshark-dev@xxxxxxxxxxxxx
Subject: [Wireshark-dev] gsm_map dissector question



Hi List,

I have been capturing and decoding some live traffic on a GSM network,
and find a problem in decoding of GSM MAP operations.

The GSM MAP dissector is currently based on 3GPP TS 29.002 v7.5.0.
This leads to incorrect decoding of packets which are working on lower
MAP versions. For example, a MAP v2 ShortMsgMT-Relay gets decoded as
MAP v3 ShortMsgMO-Relay (because the opcodes are same). This leads to
all kinds of warnings, and sometimes incorrect decoding.

I don't suppose there is a (simple) way around this, is there? I guess
a complex (and resource hungry) method would be for the TCAP dissector
to follow dialogs and then pass the application context information to
the MAP dissector for MAP to interpret the operation based on the
application context in addition to the op-code.

I am sorry if this has already been discussed, I searched the
archives, but could not find anything relevant... perhaps I didn't use
the correct search string.

Thanks,
Abhik.
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev



_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev



Attachment: example1.cap
Description: Binary data

Attachment: example2.cap
Description: Binary data