Wireshark-users: Re: [Wireshark-users] issue regarding run-time heuristic dissecting NR -RRC .

From: Vikas Theng <thengvikas2017@xxxxxxxxx>
Date: Wed, 26 Feb 2020 15:24:08 +0530
In run-time it is dissects it as a mac nr completely. (see attachment ). but I when dumping it in .txt file and doing text2pacp -l 252 dummy.txt dummy.pcapng it is not able to dissect it properly. same thing I did for RRC NR. for RRC NR it is working  fine( see attachment ). for MAC NR I want it as exported pdu. why run-time it is dissecting and while dumping in to file it is failing.  

On Wed, Feb 26, 2020 at 2:36 PM Pascal Quantin <pascal@xxxxxxxxxxxxx> wrote:
Hi Vikas,

Le mer. 26 févr. 2020 à 09:52, Vikas Theng <thengvikas2017@xxxxxxxxx> a écrit :
I did modification as you suggested, but with that modification, it is not able to dissect it as mac nr.

As the exported payload is aaaaaaaa.... (as seen in the GUI) it seems like you did not do the proper modification. The exported payload should correspond to the UDP payload of the heuristic cissector, so starting with the mac-nr magic. Presumably this is because your End-of-options tag has a length of 109 instead of 0.
Moreover I forgot to tell you that the heuristic dissector is named mac-nr_udp and not mac-nr.

Best regards,
Pascal.


On Wed, Feb 26, 2020 at 12:42 PM Pascal Quantin <pascal@xxxxxxxxxxxxx> wrote:
Hi Vikas,

Le mer. 26 févr. 2020 à 07:25, Vikas Theng <thengvikas2017@xxxxxxxxx> a écrit :
Hello , 
I am trying to dissect mac-nr exported pdu, it is showing mac-nr in wireshark but not able to dissect complete message. 
I have added mac exported pdu heuristics and mac nr heuristics. please find attachment.  

Based on the screenshot I can spot several errors:
- you should use the tag EXP_PDU_TAG_HEUR_PROTO_NAME and not EXP_PDU_TAG_PROTO_NAME as you want to use the mac-nr heuristic dissector
- the exported PDU payload should be directly the UDP payload, so starting with 6d6163. Remove the first 10 zeroes

Best regards,
Pascal.


On Fri, Feb 7, 2020 at 7:26 PM Pascal Quantin <pascal@xxxxxxxxxxxxx> wrote:
Hi Vikas,

Le ven. 7 févr. 2020 à 14:42, Vikas Theng <thengvikas2017@xxxxxxxxx> a écrit :
Hello.,
 I am trying to dissect the runtime MIB message, but runtime It is showing only LLC protocol.
When I am converting text to pcap using text2pcap -l 252 file.txt file.pacpng and load file pcap file manually it is showing NR RRC protocol but run-time it is failing and showing LLC protocol. please guide me.
 
your text2pcap command creates a file with a linktype set to 252 which corresponds to WIreshark Upper PDU format.
Whatever mechanism you use to generate your runtime stream should use this linktype if you want to be able to decode it. If another linktype is given in the stream, you will get a wrong decoding (like LLC for example).
Alternatively you could write your own encapsulation protocol running on top of a well known UDP port for example, and then a small dissector calling the relevant NR RRC dissector when required (based on some meta data you would transmit in the UDP payload, along with the NR RRC message dump).

Best regards,
Pascal.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Attachment: mac-nr.png
Description: PNG image

Attachment: nr-rrc.png
Description: PNG image