Wireshark-users: Re: [Wireshark-users] IUA decode

From: "Ravi Rajaratnam" <Ravi.Rajaratnam@xxxxxxxxxxxx>
Date: Sat, 15 Mar 2008 17:29:21 +1100
Thanks Michael.

I actually traced it using wildpacket ,filtered SCTP messages then saved it and ran it on wireshark. So it looks like wildpacket did not decode properly? I will try again without any filters. Once again thanks for your help.

Ravi 
 

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Michael Tüxen
Sent: Friday, 14 March 2008 11:42 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] IUA decode

Hi Ravi,

Wireshark is not able to dissect the packet correclty, because
the packet is not formatted correctly. Section 3.2 of RFC 4233
states that the length of the integer interface parameter is 8,
not 45 as in the trace.

So fix the implementation sending this packet.

Best regards
Michael

On Mar 13, 2008, at 10:14 PM, Ravi Rajaratnam wrote:
> Thanks Weiner.
> I think I did put my question correctly.?
>
> What I am after is how to decode the q931 under IUA  messages using  
> the
> wireshark. I can decode v5.2 messages under V5UA without any issues.  
> For
> some reason I am unable to decode Q931 under IUA. Both IUA & V5UA are
> piggybacked on SCTP. Pls refer to my previous mail attachment for  
> sample
> trace.
>
> regards
> Ravi
> <<mailto:ravi.rajaratnam@xxxxxxxxxxxx>>
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Alan Jay
> Weiner
> Sent: Wednesday, 12 March 2008 11:25 AM
> To: 'Community support list for Wireshark'
> Subject: Re: [Wireshark-users] IUA decode
>
> Hi Ravi,
> I see several things about this packet:
>
> 1) it's using Adler-32 checksum instead of CRC32c  (see RFC 3309)
>
> 2) the upper-layer protocol (payload protocol identifier) is not
> specified
> (it is 0; for IUA it should be 0x01).  I'm not sure why the rest of  
> the
> packet is decoded; it seems to me it should be treated as opaque data
> and
> not decoded.
>
> Assuming that decoding it is correct, then the IUA decodes as a  
> Release
> Indication (message class 0x05, message type 0x0a; see RFC 4233  
> section
> 3.1.2), and includes an Integer Interface ID as a parameter.  But the
> IID
> parameter length is given as 45 - it should be 8 for an integer-based
> Interface ID.  The parameter tag of 0x01 indicates the Integer  
> Interface
> Identifier.  Perhaps it should be 0x03 for a text-based Interface
> Identifier?  (see RFC 4233 section 3.2; figures 3 and 4)
>
> Hope this helps!
>
> - Al Weiner -
>
>
> ------------------------------------------------------------------------
> ----
> Alan Jay Weiner / Valid8.com, Inc. - Conform, Perform & Excel(tm)
> 500 W Cummings Park, Suite #2700, Woburn, MA 01801, USA
> a.weiner@xxxxxxxxxx / Tel:+1-781-938-1221 x112, Fax +1-781-207-0550
> http://www.VALID8.com
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Ravi
> Rajaratnam
> Sent: Tuesday, March 11, 2008 3:48 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] IUA decode
>
> Thanks Anders.
>
>
> Pls find attached a copy of file containing IUA messages. You will see
> v5UA messages as well. v5UA decodes are fine.
>
> regards
> Ravi
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Anders
> Broman
> Sent: Tuesday, 11 March 2008 7:50 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] IUA decode
>
> Hi,
> The latest version is 0.99.8. If you can post the trace file instead  
> we
> could take a look at it to try to determine what's
> wrong.
> Regards
> Anders
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Ravi
> Rajaratnam
> Sent: den 11 mars 2008 00:31
> To: Community support list for Wireshark
> Subject: [Wireshark-users] IUA decode
>
> Sigtran experts!
>
> I have captured IUA  messages using wireshark and tried to  extract  
> Q931
> messages and I see malformed packet.(pls refer to the attached screen
> shot)
>
> Can anyone pls help me to decode this message. Do I need to download  
> the
> latest version wireshark application to decode. If so pls let me know
> the latest application.
>
> regards
>
> Ravi
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users