Hi,
With what Wireshark version in this? And a (synthetic) sample capture would go a long way investigating this.
Thanks,
Jaap
> On 6 Dec 2023, at 12:08, Ariel Burbaickij <ariel.burbaickij@xxxxxxxxx> wrote:
>
> Hello all,
>
> we have a special setup here: SS7 E1 is converted to SCTP traffic with the following basic schema (I cannot share capture itself, just in case):
> -- there are no INITs, HEARTBEATs/ACK, SACKs, just DATA chunks sent in both directions as containers then for the traffic on higher layers .
> --each linkset, of which there are many, is represented like this:
> 1.1.1.1 <-> 2.2.2.2
> 3.3.3.3 <-> 4.4.4.4
> 5.5.5.5 <-> 6.6.6.6
> etc.
> so, that one and the same IP address is never re-used for several associations and <-> means bidirectional traffic. All associations use the same port 2904 on both sides.
>
>
> vtags used per direction are last two bytes of the source IP in the least significant bytes of vtag field, so for the second association it is:
>
> 0x00000303 from 3.3.3.3 to 4.4.4.4
> and
> 0x00000404 from 4.4.4.4 to 3.3.3.3
> etc.
>
> and TSNs are verified to be accurate too.
>
> Now, upon selecting the packet from, say 3.3.3.3 to 4.4.4.4 and "Analyse this Association", we get multi-homed association reported with always larger vtag reported as part of association, so as a matter of example:
>
> Endpoint 1 is 1.1.1.1 and 3.3.3.3 (vtag 0x00000303)
> Endpoint 2 is 2.2.2.2 and 4.4.4.4 (vtag 0x00000404)
>
> so, why does analysis fail here, where it should not ?
>
> Kind Regards
> Ariel Burbaickij
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe