Hi Guys, I'm trying to open a TCAP ANSI trace that is over MTP-2, but Wireshark decodes the lower layers (MTP-2 and MTP-3) as Ethernet. I tried to force the decode to MTP-2 using "Decode As..." but couldn't find such option. Below you can an example: c0 af 28 83 22 73 02 02 e6 e1 0b 09 80 03 05 0a 02 c1 0b 05 c3 08 02 e6 e1 11 e4 0f c7 04 04 00 0b 6c e8 07 ea 05 cf 01 01 f2 00 40 a4 Does anyone know the reason for this? asked 10 Apr '12, 12:48 fertonin |
One Answer:
If this is a pcap or pcap-ng trace, the reason is probably that somebody put the wrong link-layer header type value in the capture file header (for pcap) or Interface Description Block for the interface (for pcap-ng). Wireshark has no "Decode As" for overriding the link-layer header type, because that's not something that's supposed to be wrong. For pcap files, you could try using
where {bad capture file} is the pathname of the file you're trying to open and {name for new capture file} is the pathname for the location where you want the fixed capture file to be put. If you can successfully read the new capture file, you can just replace the old capture file with the new one. answered 10 Apr '12, 15:33 Guy Harris ♦♦ |
Thanks a lot Guy, it worked, I ran the suggested command and was able to see the decode.
So how was that trace produced? Whatever produced it put the wrong link-layer header type in the file, and should probably be fixed to use the right link-layer header type, so the files can directly be read by, for example, Wireshark.
I have a pcap file with both ISUP over MTP-2 packets and ISUP over IP (Ethernet) packets. From what I understand the -T mtp2 is global for the whole packets in the pcap file. Is there a way to set the link-layer type for a packet?
The pcap file format has only a per-file link-layer type, so it can't handle files with a mixture of MTP2 packets and Ethernet packets. Whoever chose to write it out as a pcap file made a mistake by doing so; they should have used pcap-NG format instead.
You'd probably have to write your own tool to read the file, somehow figure out or be told by the user which packets are Ethernet packets and which packets are MTP2 packets, and write out a pcap-NG file.