Wireshark-users: [Wireshark-users] mux27010 capture

Date: Fri, 02 Jan 2015 11:42:52 +0100
Hello!

I have to debug a problem with the multiplex protocol of a gsm modem. I came across wireshark being able to dissect mux27010 protocol which would be of big value to me. I did manage to capture some mux data from the uart but that does not seem to fit to that what wireshark expects. Here is my setup: I have a gsm modem connected to the uart of an arm processor running linux. In linux the n_gsm mux driver is attached to the uart and does the muxing. I now modified the n_gsm driver to hand me out a copy the data it sends to the uart right before it leaves the mux driver. Okay, I now have captured data and what I capture this way looks valid to me according to the mux spec in 3GPP TS 07.10 V7.2.0. I then convert this data to a hexdump with od -Ax -tx1 -v as stated in wireshark documentation and this is what I import to wireshark using the Import from hex dump... dialog. There I select my file and MUX27010 as encapsulation type. The dissection wireshark then does is garbage. In the MUX27010 Protocol wireshark expects an extended header which I do not have in my capture and which I can not find in the specification. If I remove this extended header part from the dissector and compile wireshark, it correctly dissects the first (and only the first) mux packet to me. So my questions are: Where does this extended header come from and what does it contain ? As it does not seem to be part of the mux specification (and it is very unlikely to be seen on the uart line) I suspect some capturing tool injecting this data. What is the preferred way of capturing this mux data ?

Thanks in advance,
Lars