This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dissector for ICCP/TASE.2

0

I'm looking for a way to read ICCP/TASE.2 packets. I've seen anecdotal evidence that Wireshark supports this protocol, but can't find anything concrete from Wireshark's documentation or Q&A.

When I view pcaps with ICCP packets through Wireshark, they're displayed down to the MMS protocol, which is shown full of various errors (primarily "BER Error: Wrong field in SEQUENCE"). We've tried Wireshark versions up to 1.8.3, but the release notes for later versions don't indicate the addition of ICCP/TASE.2 support.

We are investigating the possibility of writing a custom ICCP dissector, but this has a number of problems, primarily that we don't have a C++ programmer or anyone with experience dissecting protocols.

Is there an ICCP/TASE.2 dissector, either built-in or as a plugin, available for Wireshark? If not, what other tools are available to read ICCP/TASE.2 packets?

asked 28 Mar '13, 11:30

alisha's gravatar image

alisha
16114
accept rate: 0%


One Answer:

0

For what I have seen myself from the TASE.2 specification, TASE.2 is just a way to use MMS. There's a mapping to the MMS data model and no extra layer is added (from a networking point of view).

MF

answered 15 Apr '13, 10:16

splinux's gravatar image

splinux
36113
accept rate: 100%

@splinux It's not that simple, unfortunately. TASE.2 packets show up as malformed MMS packets when we try to view them (usually the BER error I mentioned in the question). So whatever TASE.2 is doing, Wireshark can't dissect it correctly, and we can't see the contents of the packet.

(15 Apr '13, 10:21) alisha

Then there might be a bug in the MMS dissector, or the ASN.1 specification it implements might not include all the stuff used by TASE.2. Please file a bug on this at the Wireshark Bugzilla, and include, if possible, a sample packet capture that demonstrates the problem.

(15 Apr '13, 15:11) Guy Harris ♦♦

@alisha can you upload your traces somewhere like pcapr(DOT)net/home beside Bugzilla?

(16 Apr '13, 01:41) splinux

@splinux I'll find out, but I know we're very restricted on where and how we can share our pcaps, so it might not be possible. I'm going to see if I can scrub the IP addresses & other identifying data, and maybe upload then.

(16 Apr '13, 08:19) alisha

Marking this as the answer since it's the closest we can get without being able to upload our data files. I'll file a bug report as suggested and see where it goes.

(22 May '13, 15:22) alisha