This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

hello,

i`m looking for some method capable of separating bundled SCTP chunks into separate frames. i think this guy is modifying editcap for sctp-unbundle, but i do not know how to get it . . .

https://gitorious.org/~vasilvelichkov

thanks

asked 19 Jul '12, 02:03

knuf's gravatar image

knuf
1111
accept rate: 0%


besides the tool you mentioned, you can try this perl script:

http://frox25.no-ip.org/~mtve/wiki/SctpDechunk.html

Regards
Kurt

permanent link

answered 19 Jul '12, 02:10

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

thanks, that script works fine, however, are there any plans to include that feature in some of the ws` tools?

rgds

(19 Jul '12, 05:07) knuf

volunteers are welcome to take that challenge ;-)

(19 Jul '12, 06:05) Kurt Knochner ♦

Hi,

Can you please provide an instruction on how I run this script in wireshark to try it out?

BR Harkap

(10 Apr '13, 02:09) harkap

It's a Perl script that processes a capture file. From a shell (or command prompt) on a system that has perl available execute the file passing in the path to a capture file.

(10 Apr '13, 02:50) grahamb ♦
1

Since I just tried out this script, I thought I'd share some advice on how to get it to work.

As already mentioned by others, it's a Perl script. I'm using perl 5, version 14, subversion 2 (v5.14.2) built for i686-linux-gnu-thread-multi-64int. You need to pass two arguments to the script: the input and output filenames.

The input file is a packet capture file and should contain only SCTP packets within IP within Ethernet frames. You can achieve this by using a capture filter for SCTP (e.g., -f sctp in Tshark). If you don't use this capture filter, your packet capture will feature non-SCTP and non-IP packets that the script cannot currently process. In my case, the script failed some one second into the packet capture as it encountered an ARP packet.

The output file will also be a packet capture, although with the packets reorganized in a different way. My understanding is that the script scans the input packet capture file and processes each SCTP packet as follows.

If the SCTP packet contains only one chunk, then it is output as is to the output file.

Otherwise (i.e., the SCTP packet contains more than one chunk), the script generates n packets (as many as the chunks) each of which features a replica of the Frame, Ethernet, and IP parts of the multi-chunk packet, and one single SCTP chunk.

Don't worry about the output file size being smaller than the input file size. Since the Frame, Ethernet, and IP parts are replicated for multi-chunk packets, I was actually expecting an output file larger than the input file. Instead I've got the output file being approximately 10% smaller in size than the input file. However, this may happen because there are relatively many SACK chunks in SCTP packets that are filtered out (not output) by the script.

Finally, you can use the output packet capture file with Wireshark or Tshark.

(12 Apr '13, 13:22) tshark-user
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×33
×25
×4
×3

question asked: 19 Jul '12, 02:03

question was seen: 5,633 times

last updated: 12 Apr '13, 13:22

p​o​w​e​r​e​d by O​S​Q​A