Wireshark-users: Re: [Wireshark-users] Parsing GSM bits

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 11 Sep 2008 14:06:17 -0700

On Sep 11, 2008, at 8:19 AM, Isaac Gerg wrote:

I have seen through various places on the net that one can decode GSM
data using wireshark.  How does this work?

That depends on what you mean by "GSM data".

At least according to the diagram in

	http://wiki.wireshark.org/GsmProtocolFamily

there are a lot of interfaces in GSM, and a lot of protocols running over those interfaces.

Wireshark understands many of those protocols; as far as I know, it does not understand all of them. (So, for example, don't infer, from the existence of some GSM A-interface dissectors in Wireshark, that it's capable of handling R-interface packets.)

 I have seen one case in
which the GNU Radio software feeds wireshark the data directly.
However, the source of this information seems to be more than a year old.

Presumably that's GSSM:

	http://thre.at/gsm/

It involves

1) a somewhat "hacky" (to quote that page) mechanism by which the GNU Radio and GSSM software stuffs packets down a Linux tunnel interface;

2) a patch to Wireshark to detect those packets and decode them as the appropriate protocol.

That presumably handles the R interface (handset-to-base-station) and at least some of the protocols running atop that interface.

Standard Wireshark handles the A interface (base-station-to-core- network, at least as I read the diagram); I assume that's transported atop various wired networks also supported by Wireshark.

Is is possible to just capture the bits to a text file (stored as just
'1' and '0') and then feed it into wireshark and have it decode it?

Not without teaching Wireshark how to read the text file - and you'd probably be better off capturing the bits to a binary file, storing 1's as 1's and 0's as 0's, and having Wireshark read *those* files (decoding text files is a pain).

In any case, you'd only be able to do that if all the protocols in the capture are protocols Wireshark understands. What interface is this traffic going over, and what protocols are being used?