hello, i`m looking for some method capable of separating bundled SCTP chunks into separate frames. i think this guy is modifying editcap for sctp-unbundle, but i do not know how to get it . . . https://gitorious.org/~vasilvelichkov thanks asked 19 Jul '12, 02:03 knuf |
One Answer:
besides the tool you mentioned, you can try this perl script:
Regards answered 19 Jul '12, 02:10 Kurt Knochner ♦ |
thanks, that script works fine, however, are there any plans to include that feature in some of the ws` tools?
rgds
volunteers are welcome to take that challenge ;-)
Hi,
Can you please provide an instruction on how I run this script in wireshark to try it out?
BR Harkap
It's a Perl script that processes a capture file. From a shell (or command prompt) on a system that has perl available execute the file passing in the path to a capture file.
Since I just tried out this script, I thought I'd share some advice on how to get it to work.
As already mentioned by others, it's a Perl script. I'm using perl 5, version 14, subversion 2 (v5.14.2) built for i686-linux-gnu-thread-multi-64int. You need to pass two arguments to the script: the input and output filenames.
The input file is a packet capture file and should contain only SCTP packets within IP within Ethernet frames. You can achieve this by using a capture filter for SCTP (e.g., -f sctp in Tshark). If you don't use this capture filter, your packet capture will feature non-SCTP and non-IP packets that the script cannot currently process. In my case, the script failed some one second into the packet capture as it encountered an ARP packet.
The output file will also be a packet capture, although with the packets reorganized in a different way. My understanding is that the script scans the input packet capture file and processes each SCTP packet as follows.
If the SCTP packet contains only one chunk, then it is output as is to the output file.
Otherwise (i.e., the SCTP packet contains more than one chunk), the script generates n packets (as many as the chunks) each of which features a replica of the Frame, Ethernet, and IP parts of the multi-chunk packet, and one single SCTP chunk.
Don't worry about the output file size being smaller than the input file size. Since the Frame, Ethernet, and IP parts are replicated for multi-chunk packets, I was actually expecting an output file larger than the input file. Instead I've got the output file being approximately 10% smaller in size than the input file. However, this may happen because there are relatively many SACK chunks in SCTP packets that are filtered out (not output) by the script.
Finally, you can use the output packet capture file with Wireshark or Tshark.