Wireshark-users: Re: [Wireshark-users] mux27010 capture

From: Lars Poeschel <poeschel@xxxxxxxxxxx>
Date: Wed, 14 Jan 2015 11:26:48 +0100
I am sorry for messing up the mails thread id, but it is very hard to answer 
to a mail where one itself is not the receipient. I am not subscribed to the 
mailing list.

> On 1/2/2015 5:42 AM, poeschel@xxxxxxxxxxx wrote:
> > Hello!
> >
> > I have to debug a problem with the multiplex protocol of a gsm
> > modem. I came across wireshark being able to dissect mux27010
> > protocol which would be of big value to me.
> >
> > I did manage to capture some mux data from the uart but that does
> > not seem to fit to that what wireshark expects. Here is my setup: I
> > have a gsm modem connected to the uart of an arm processor running
> > linux. In linux the n_gsm mux driver is attached to the uart and does
> > the muxing. I now modified the n_gsm driver to hand me out a copy the
> >  data it sends to the uart right before it leaves the mux driver.
> >
> > Okay, I now have captured data and what I capture this way looks
> > valid to me according to the mux spec in 3GPP TS 07.10 V7.2.0. I
> > then convert this data to a hexdump with od -Ax -tx1 -v as stated in
> > wireshark documentation and this is what I import to wireshark using
> > the Import from hex dump... dialog. There I select my file and
> > MUX27010 as encapsulation type.
> >
> > The dissection wireshark then does is garbage. In the MUX27010
> > Protocol wireshark expects an extended header which I do not have in
> > my capture and which I can not find in the specification. If I remove
> > this extended header part from the dissector and compile wireshark,
> > it correctly dissects the first (and only the first) mux packet to
> > me.
> >
> > So my questions are: Where does this extended header come from and
> > what does it contain ? As it does not seem to be part of the mux
> > specification (and it is very unlikely to be seen on the uart line) I
> > suspect some capturing tool injecting this data. What is the
> > preferred way of capturing this mux data ?
> >
> > Thanks in advance, Lars
> 
> I'm not familiar with the protocol but the following may help:
> 
> http://www.tcpdump.org/linktypes/LINKTYPE_MUX27010.html

Thanks for that. I did not know this. If I understand this right, this does 
not comply with the 3gpp specification, but instead a special siemens/cinterion 
variant of the protocol that is not compatible with the original 3gpp 
protocol.
It would be great to note that fact somewhere in the wireshark code and/or in 
the wireshark doc.

Bill, thanks again for your reply. That helped me a lot.

Lars