This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

My traffic is built with protocols like below: IP UDP MAC-es RLC TCP

but wireshark can only decode frame up to UDP layer. Aside from writing my own dissector, anything else?

Thanks!

asked 10 May '12, 22:51

leonizeme's gravatar image

leonizeme
1111
accept rate: 0%

If you are not writing out a header in the FP-hint format, I don't think it will help you.

If you do write out this information, you could try adding something like:

dissector_handle_t fp_hint_handle = find_dissector("fp_hint"); dissector_add_handle("udp.port", fp_hint_handle); / for 'decode-as' /

to proto_reg_handoff_fp_hint().

This will let you right click 'Decode as' on those PDUs and choose FP-Hint as the protocol to use. If this is useful to use, this change can be submitted. The FP-hint format doesn't look too complicated.

(11 May '12, 03:39) MartinM

Another approach would be do look at the UDP-framing that has been implemented for RLC (and used as a heuristic dissector). See http://wiki.wireshark.org/RLC for details (including test code for encoding UDP frames in this format). A similar thing is also done for LTE MAC, RLC and PDCP, but UMTS RLC is most similar in that it will also need to supply FP information. I do not have the time to implement this at the moment, but would be happy if you want to submit a patch.

(11 May '12, 03:49) MartinM

As you have all the other headers encapsulated, you could just remove everything up to the UDP header with the pcap editor of bittwist (bittwiste).

Ubuntu:

apt-get install bittwist

Try this first. This will remove "standard" Ethernet, IP and UDP headers.

bittwiste -I orig.cap -O stripped.cap -D 42 -M 1

If there are VLAN tags, IP Options, etc. you'll have to figure out the correct length with wireshark and then cut off the right number of bytes.

Regards
Kurt

permanent link

answered 11 May '12, 00:15

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks

I tried, but I still got no decoding. I remove bytes up to UDP header, using editcap, but still no decoding of FP-hint. I have enabled FP-hint.

Could you help? Maybe I missed some settings or plug-ins?

(11 May '12, 01:02) leonizeme

can you upload 3-4 packets to cloudshark.org?

BTW: How comes, your data is encapsulated in a UDP packet?

(11 May '12, 01:42) Kurt Knochner ♦

BTW: How comes, your data is encapsulated in a UDP packet?

Probably because it's UMTS traffic - various flavors of mobile phone network traffic seem to be encapsulated in UDP packets in order to feed them to analyzers such as Wireshark.

That means the problem isn't the UDP encapsulation, the problem is probably as described by Martin Mathieson in his comments.

(11 May '12, 19:51) Guy Harris ♦♦

fp | mac | rlc is relayed over wires on the IuB interface, over atm or udp. We dont support decoding the real traffic like this, although Anders has been starting to configure based on signalling info.. Fp-hint and fp are not the same thing though.

(12 May '12, 01:37) MartinM

It should be possible to add preferenses(UAT) to the fp-hint dissector to set up conversation data that will dissect real FP UDP traffic.

(12 May '12, 05:47) Anders ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×12
×3

question asked: 10 May '12, 22:51

question was seen: 2,612 times

last updated: 12 May '12, 05:47

p​o​w​e​r​e​d by O​S​Q​A