This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

lua tap and multiple instances of a protocol in one frame

0

I've got following situation in one frame in my capture file

Frame
  ethernet
    IP
      SCTP -> MTP3 -> *SCCP* -> TCAP -> INAP
      SCTP -> MTP3 -> SCCP -> TCAP -> INAP
      SCTP -> MTP3 -> _SCCP_ -> TCAP -> _CAP_

I want to extract information from _CAP_ and _SCCP_ (both marked with underscore above) I used following extractors

called_party_msisdn_extractor = Field.new("e164.called_party_number.digits")
calling_party_msisdn_extractor = Field.new("e164.calling_party_number.digits")
sccp_called_gt = Field.new("sccp.called.digits")
sccp_calling_gt = Field.new("sccp.calling.digits")
frame_number = Field.new("frame.number")
frame_time = Field.new("frame.time_epoch")
service_key = Field.new("camel.serviceKey")

But what I got was a data from _CAP_ and *SCCP* (not from _SCCP_)

How to write a tap to make it possbile to get _CAP_ and _SCCP_

asked 15 May '12, 12:18

tciops's gravatar image

tciops
6225
accept rate: 0%

Please post a sample capture at http://cloudshark.org

(15 May '12, 14:54) helloworld

capture contains data which I don't want and am not allowed to send - real user traffic with all confidential data

Cannot post it anywhere sorry...

(16 May '12, 01:18) tciops

you could select 3-4 packets with no "compromising" data in it.

(16 May '12, 01:38) Kurt Knochner ♦

All I can do is post you a text representation of this frame without any vulnerable data Unless you know a way to modify a pcap file to change this data

(16 May '12, 02:18) tciops

you can try this: http://sourceforge.net/projects/powereditpcap/ or any HEX editor, if you know exactly what data to change. Beware to not change the header data.

BTW: can you post the whole dissector code? If that's not the case, I think it will be hard to help.

(16 May '12, 02:35) Kurt Knochner ♦

It's not possible to post it or even attach it here so here is the link http://cdn.anonfiles.com/1337162613946.txt

(16 May '12, 03:07) tciops

powereditcap doesn't know how to edit SS7 protocols I gave up, it's not that easy and it's not so urgent frame txt http://cdn.anonfiles.com/1337164422323.txt

(16 May '12, 03:38) tciops

It's hard to test the Lua Tap with the text file. Can you please upload the same information in binary form (pcap) to cloudshark (or if you like to anonfiles.com).

(16 May '12, 04:29) Kurt Knochner ♦
showing 5 of 8 show 3 more comments

One Answer:

1

If I understand the problem correctly, you're trying to fetch the last instance of "e164.called_party_number.digits" and "e164.calling_party_number.digits" in an SCCP packet from a tap. The Field extractor fetches all instances of the named field, and they're normally accessed in a for loop. Try this Lua:

local logfile = "CAP_IDP_DATA_"..os.date("%Y%m%d")..".csv"
io.output(logfile)

local called_party_msisdn_extractor = Field.new("e164.called_party_number.digits") local calling_party_msisdn_extractor = Field.new("e164.calling_party_number.digits") local sccp_called_gt = Field.new("sccp.called.digits") local sccp_calling_gt = Field.new("sccp.calling.digits")

– XXX: you don't need these frame fields. You can get them from pinfo.number and pinfo.abs_ts –local frame_number = Field.new("frame.number") –local frame_time = Field.new("frame.time_epoch")

local service_key = Field.new("camel.serviceKey")

io.write("FRAME|GT|SKEY|MSISDNs|TIME\n")

local tap_cap = Listener.new(nil,"camel.local == 0")

– Gets the last instance of a Field extractor. – Returns nil if nothing extracted. local function last(field) local last_elem = nil

-- no easy way to get last element of userdata,
-- so iterate the returned values until it reaches
-- the last element
for _,f in ipairs({ field() }) do
    last_elem = f
end

return last_elem

end

function tap_cap.packet(pinfo,tvb) local calling = last(calling_party_msisdn_extractor) local called = last(called_party_msisdn_extractor)

local called_gt = sccp_called_gt()
local calling_gt = sccp_calling_gt()

-- XXX: replaced field extractors with equivalent pinfo accessors
--local frame_no = frame_number()
--local frame_t = frame_time()
local frame_no = pinfo.number
local frame_t = string.format("%.9f", pinfo.abs_ts)

local skey = service_key()

io.write(tostring(frame_no) .. "|" .. tostring(calling_gt) .. " -> " .. tostring(called_gt)
    .. "|" .. tostring(skey)
    .. "|" .. tostring(calling) .. " > " .. tostring(called)
    .. "|" ..tostring(frame_t) .. "\n")

end

answered 16 May ‘12, 04:50

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

Thanks helloworld. It’s almost the thing I wanted to get.

If I change just a little the order of data in frame to look like this:

Frame
ethernet
IP
SCTP -> MTP3 -> SCCP -> TCAP -> INAP
SCTP -> MTP3 -> SCCP -> TCAP -> CAP
SCTP -> MTP3 -> SCCP -> TCAP -> INAP

I would get last SCCP info and the CAP info I want. I need data from CAP and SCCP which encapsulates this CAP packet (using TCAP). So, I guess I will have to somehow master this looping proposition. I just need to compare it with sccp.called.ssn.

(16 May ‘12, 06:05) tciops