Wireshark-dev: Re: [Wireshark-dev] use Global Title as address in SCCP/SUA?

From: "Luis Ontanon" <luis.ontanon@xxxxxxxxx>
Date: Thu, 29 Mar 2007 00:01:04 +0200
After a deeper analysis of some captures I have I've got to the
conclusion that it is not a good idea. The GT is something different
that what i believed it to be.

I was considering a way to group together TCAP transactions taking
into account that for some of those I've seen responses coming from a
different opc than the dpc of the begin, now after a detailed analysis
of those traces  I noticed that this was due to a (unavoidable)
misbehavior of the "Flow Graph" where the same SCTP packet carried
more M3UA packets destined to different PCs and being pinfo->src set
to the opc of the second M3UA packet the flow graph have the arrow
coming from the wrong OPC. (That's a problem caused by the 1:1
relation between frame and packet wireshark assumes)

Other than that I found MAP requests with two GT (from mobile's IMSI
to HLR's) whose response to has different GTs (HLR's to VLR's), thus
invalidating any assumption I made about the GT being determinant in
establishing to which TCAP transaction does the packet belong that was
the issue that had me coming with the (demential) idea.

Luis

On 3/28/07, Abhik Sarkar <sarkar.abhik@xxxxxxxxx> wrote:
Hmmm... OK, I have yet had to use the M3UA dissector, didn't know
that. Anyway, in SUA/SCCP too, it is possible for the CgPA and CdPA to
be only PC-SSN. So, if SCCP/SUA does set the transport address as GT,
it should also set it to point code if only point code is available.
Perhaps the others have something to say about this too. I am curious
though, how do you think it will help?

On 3/28/07, Luis Ontanon <luis.ontanon@xxxxxxxxx> wrote:
> There still be the IP addresses in net_src/net_dst. It would be much
> like M3UA does that replaces ip src and ip dst by the opc and dpc
> (which I do not doubt it is ok).
>
> What I wonder about is whether the GT is an address or should it be
> just taken as a "port" on a certain address.
>
> On 3/28/07, Abhik Sarkar <sarkar.abhik@xxxxxxxxx> wrote:
> > In case of SUA, wouldn't this mean pinfo->src and pinfo->dst would no
> > longer have the IP end-points of the SCTP association? Is yes, is that
> > desirable?
> >
> > On 3/28/07, Luis Ontanon <luis.ontanon@xxxxxxxxx> wrote:
> > > Would it be correct to add an AT_SS7_GT to the address types and have
> > > sccp/sua setting the GTs as pinfo->src & pinfo->dst ???
> > >
> > > Isn't the global title an actual (transport) address?
> > >
> > > Luis
> > >
> > > --
> > > This information is top security. When you have read it, destroy yourself.
> > > -- Marshall McLuhan
> > > _______________________________________________
> > > Wireshark-dev mailing list
> > > Wireshark-dev@xxxxxxxxxxxxx
> > > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> > >
> > _______________________________________________
> > Wireshark-dev mailing list
> > Wireshark-dev@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> >
>
>
> --
> This information is top security. When you have read it, destroy yourself.
> -- Marshall McLuhan
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev



--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan