Wireshark-users: Re: [Wireshark-users] NR-RRC Dissector

From: Anders Broman <anders.broman@xxxxxxxxxxxx>
Date: Wed, 30 Oct 2019 11:42:53 +0000

Hi,

If you followed the tread you could see that Pascal wrote(see below) an explanation why the solution I tried was wrong so I reverted that code and the sample does not work as you can see.

 

This might work:

text2pcap.exe -l 252 MIB.txt" mib.pcapng"

 

With the following content of the .txt file

 

0000   00 0c 00 18 6e 72 2d 72 72 63 2e 62 63 63 68 2e         nr-rrc.mib 6e 72 2d 72 72 63 2e 6d 69 62

0010   62 63 68 00 00 00 00 00 00 00 00 00 00 00 00 00        (nr-rrc.bcch.bch 6e 72 2d 72 72 63 2e 62 63 63 68 2e 62 63 68)

0020   06 f2 d4

 

Regards

Anders

Hi Keval,

 

based on your screenshot you seem to have a proprietary encapsulation in the UDP payload (we can see the string nr-rrc and a BCCH-BCH message - that contains a MIB - is 3 bytes long only). So presumably here the real data you want to decode is 0x06f2d4?

You should request to whoever defined this encapsulation the corresponding Wiresahrk dissector / plugin that calls the NR-RRC dissector. Or use another encapsulation method as the one described by Anders.

 

For the payload 06f2d4, the decoding is:

NR Radio Resource Control (RRC) protocol
    BCCH-BCH-Message
        message: mib (0)
            mib
                systemFrameNumber: 0c [bit length 6, 2 LSB pad bits, 0000 11.. decimal value 3]
                subCarrierSpacingCommon: scs15or60 (0)
                ssb-SubcarrierOffset: 15
                dmrs-TypeA-Position: pos2 (0)
                pdcch-ConfigSIB1
                    controlResourceSetZero: 5
                    searchSpaceZero: 10
                cellBarred: notBarred (1)
                intraFreqReselection: allowed (0)
                spare: 00 [bit length 1, 7 LSB pad bits, 0... .... decimal value 0]

 

Best regards,

Pascal.

 

 

 

From: Manoj Kumar <manoj@xxxxxxxxx>
Sent: den 30 oktober 2019 12:13
To: Anders Broman <anders.broman@xxxxxxxxxxxx>
Cc: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] NR-RRC Dissector

 

Dear Anders Broman,

 

Thanks for your email.

Yes, I went through this, it's just showing EXPORTED_ PDU while I'm opening the .pcapng file, What should I do, so that I'll get MIB Info also?

 

Thanks & Regards,

Manoj 

 

On Wed, Oct 30, 2019 at 2:50 PM Anders Broman <anders.broman@xxxxxxxxxxxx> wrote:

Hi,

Did you check the replies to your previous mails?

https://www.wireshark.org/lists/wireshark-users/201910/msg00019.html

Regards

Anders

 

 

From: Wireshark-users <wireshark-users-bounces@xxxxxxxxxxxxx> On Behalf Of Manoj Kumar
Sent: den 29 oktober 2019 13:02
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] NR-RRC Dissector

 

Dear all,

 

Here I'm mentioning some queries, which given below : 

 

1. I am trying to dissect NR-RRC message i.e. MIB packet, but it is not dissecting. 

Could you please help me, so that it would dissect MIB of NR-RRC?

 

2. Is there any NR-RRC over the UDP protocol being used?

please share the relevant information w.r.t. above questions.

 

I tried on Wireshark-3.0.1, Wireshark-3.0.5, & Wireshark-3.1.0.

 

Kindly, help me to get a solution for the above queries.

 

Thanks & Regards,

Manoj Kumar

Attachment: smime.p7s
Description: S/MIME cryptographic signature