Wireshark-users: [Wireshark-users] Newbie question: what to make of some COTP decoding.

Date Prev · Date Next · Thread Prev · Thread Next
From: "Andre Steenveld" <andre.steenveld@xxxxxxxxxxxxx>
Date: Wed, 1 Aug 2012 15:34:36 +0200

Hi,

 

I’m quite new to using wireshark and have a question about some output for the COTP protocol.

I tried to find an answer in the wireshark documentation and in the archives but could not come up with a full answer.

 

To keep the length of this message within limits I’ve not included the full output of Wireshark and for reason of company rules I had to remove the full IP numbers. I hope I’ve not left out some essential parts but if needed, I still have all the data available. I just hope someone can help me with my questions. (Thanks in advance!)

 

Here is information on the frames I have questions about.

 

34     7.878448      A.B.C.10      A.B.C.204     COTP   76     CR TPDU src-ref: 0x0021 dst-ref: 0x0000

35     7.884993      A.B.C.204     A.B.C.10      COTP   76     CC TPDU src-ref: 0x0800 dst-ref: 0x0021

36     7.885090      A.B.C.10      A.B.C.204     MMS    245    initiate-RequestPDU

 

Frame 36: 245 bytes on wire (1960 bits), 245 bytes captured (1960 bits)

...

ISO 8073 COTP Connection-Oriented Transport Protocol

       Length: 2

       PDU Type: DT Data (0x0f)

       [Destination reference: 0x40000]

       .000 0000 = TPDU number: 0x00

       1... .... = Last data unit: Yes

...

 

The highlighted bytes for the COTP data.

0000   02 f0 80                                         ...

 

All is clear except the line “[Destination reference: 0x40000]

The ‘[‘ and ‘]’ suggest that Wireshark did add this line to the output and that the data is not from the frame itself.

The ‘Destination reference’ and the value to it is the bit I have problems with.

1) COTP knows a dst-ref and “Destination reference” here might be the same but is that the case?

2) A value of 0x40000 for dst-ref is impossible, a dst-ref is two bytes long.

3) If this reference to “Destination reference” is equal to dst-ref then its value should be 0x0800

4) Where does the value 0x40000 come from? The COTP part in the frame is only 3 bytes long and this value is not in it!

 

What am I missing here?

 

Similar case, another tracefile.

 

9      5.371056      A.B.C.10      A.B.C.200     COTP   76     CR TPDU src-ref: 0x0021 dst-ref: 0x0000

10     5.397558      A.B.C.200     A.B.C.10      COTP   76     CC TPDU src-ref: 0x0002 dst-ref: 0x0021

11     5.397633      A.B.C.10      A.B.C.200     MMS    245    initiate-RequestPDU

 

Frame 11: 245 bytes on wire (1960 bits), 245 bytes captured (1960 bits)

...

ISO 8073 COTP Connection-Oriented Transport Protocol

       Length: 2

       PDU Type: DT Data (0x0f)

       [Destination reference: 0x0000]

       .000 0000 = TPDU number: 0x00

       1... .... = Last data unit: Yes

...

 

The highlighted bytes for the COTP data.

0000   02 f0 80                                         ...

 

5) A value of 0x0000 for dst-ref is illegal, a value of 0x0000 is only allowed during negotiation (CR/CC sequence in frames 9 and 10)

6) If this reference to “Destination reference” is equal to dst-ref then its value should be 0x0002

7) Where does the value 0x0000 come from? The COTP part in the frame is only 3 bytes long and this value is not in it!

 

Kind regards,

 

André Steenveld.