This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm trying to find a proper way to filter requests and responses for GSM MAP operations. So, usualy capture looks like this:

TCAP
     - Transaction ID
     - Components

    GSM MAP
     - opCode
     - MSISDN
     - etc

I.e., GSM MAP is payload of TCAP. I filter requests based on MAP values (opCode and msisdn), such as

(gsm_map.address.digits == "123456789") && (gsm_old.localValue == 45)

Response comes with the same TCAP Transaction ID, so I manualy extract it from request and filter again:

tcap.tid == 78:16

This shows both needed request and response. All this can be done by hand by writing filters twice, as described above. I was wondering if it's possible to write one single filter to extract both requests and responses at once (by using msisdn and opCode as inputs only). Is that possible or should one write a postdissector in Lua to do such tasks?

asked 11 Oct '12, 06:47

mariusm's gravatar image

mariusm
1111
accept rate: 0%


I don't think you can do that with just display filters.

Another way (besides using Lua) would be to use MATE. I'd think you could create a Group Of Packets (GOP) for each MSISDN + opCode and filter on that. Of course you'd probably end up with multiple transactions in each GOP.

permanent link

answered 11 Oct '12, 10:45

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×349
×49
×40
×12

question asked: 11 Oct '12, 06:47

question was seen: 7,975 times

last updated: 11 Oct '12, 10:45

p​o​w​e​r​e​d by O​S​Q​A