I wonder how does Wireshark know that there is BSSAP underlying the SCCP protocol ? asked 29 Jan '13, 04:06  ahmediukas |
One Answer:
By the sub system number, SSN 98 is tied to BSSAP, changable by a protocol preference. answered 29 Jan '13, 05:58  Anders ♦ |
Isnt SSN specified as 250 (BSC) and 251 (MSC) ? And further, it is in the SCCP DataForm1 message, so no SSN's provided (as in UDT) Example: http://cloudshark.org/captures/ea49319c49ca
BSSAP is also detected heuristically, SCCP has a heuristic table where dissectors can register to have a peek a the packet and claim it if it's determined to be the protocol in question - might not be correct.
I am pretty sure, GSM machines knows its BSSAP somehow, they doesn't heuristically dissector packet. Even if MTP/SCTP addresses are for them.
Sure, but the question was how Wireshark detects them.