Wireshark-users: Re: [Wireshark-users] LAPD decode problem

From: "Harvey, James B." <Jim.Harvey@xxxxxxxxxxx>
Date: Mon, 20 Jul 2009 14:32:18 -0500
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Friday, July 17, 2009 2:26 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] LAPD decode problem


On Jul 17, 2009, at 6:59 AM, Harvey, James B. wrote:

> I have traces captured by an Agilent J2300 Advisor.  The protocol is  
> FTAM over CLNP over LAPD.

FTAM running over an ISDN D-channel?

> The Advisor decodes LAPD but no higher.  I have not found a way to 
> convert these trace files to .PCAP directly

Do you have any documentation on the Advisor trace file format?

If not, do you have any Advisor trace files along with a printout of the dissection of the files?

If you have either or both of them, we might be able to make Wireshark capable of reading at least some of those files.

> so I print to file the capture hex only, then massage the print file 
> with TCL to get something I can feed to text2pcap.  Looks like this:

	...

> This is an FTAM data PDU, a LAPD ack, and I think an FTAM ack.   
> Text2pcap does convert,

What link-layer type did you use?  (I.e., what value did you pass to the "-l" flag when you ran text2pcap?) ___________________________________________________________________________

Guy & company -

AFIK, Agilent did not document their file formats.  I attached a Zip file with a capture, a print of the capture and a picture of the stack, it's the one in the middle. This capture was saved with only data.

I have tried wildpackets converter on J2300 captures and it will not read the file.

This is not ISDN, it is a SONET DCC channel. We use optical splitters to send part of the signal to a pair of Agilent 37718 test sets which have the ability to detour the DCC channel to an RS-449 jack.  These are cabled to the J2300D WAN analyzer. In the attached sample there is an FTAM software download going on but there are some of the normal ES and IS hellos also.

I didn't use any -l option in the text2pcap. Do you have a suggestion? The only LAPD I see in bpf.h is type 177 and Wireshark won't even load a file converted with that.

Thanks for looking at this.
============================================================
The information contained in this message may be privileged
and confidential and protected from disclosure. If the reader
of this message is not the intended recipient, or an employee
or agent responsible for delivering this message to the
intended recipient, you are hereby notified that any reproduction,
dissemination or distribution of this communication is strictly
prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and
deleting it from your computer. Thank you. Tellabs
============================================================

Attachment: J2300Dcaptures.zip
Description: J2300Dcaptures.zip