I'm looking for a way to read ICCP/TASE.2 packets. I've seen anecdotal evidence that Wireshark supports this protocol, but can't find anything concrete from Wireshark's documentation or Q&A. When I view pcaps with ICCP packets through Wireshark, they're displayed down to the MMS protocol, which is shown full of various errors (primarily "BER Error: Wrong field in SEQUENCE"). We've tried Wireshark versions up to 1.8.3, but the release notes for later versions don't indicate the addition of ICCP/TASE.2 support. We are investigating the possibility of writing a custom ICCP dissector, but this has a number of problems, primarily that we don't have a C++ programmer or anyone with experience dissecting protocols. Is there an ICCP/TASE.2 dissector, either built-in or as a plugin, available for Wireshark? If not, what other tools are available to read ICCP/TASE.2 packets? asked 28 Mar '13, 11:30  alisha |
One Answer:
For what I have seen myself from the TASE.2 specification, TASE.2 is just a way to use MMS. There's a mapping to the MMS data model and no extra layer is added (from a networking point of view). MF answered 15 Apr '13, 10:16  splinux |
@splinux It's not that simple, unfortunately. TASE.2 packets show up as malformed MMS packets when we try to view them (usually the BER error I mentioned in the question). So whatever TASE.2 is doing, Wireshark can't dissect it correctly, and we can't see the contents of the packet.
Then there might be a bug in the MMS dissector, or the ASN.1 specification it implements might not include all the stuff used by TASE.2. Please file a bug on this at the Wireshark Bugzilla, and include, if possible, a sample packet capture that demonstrates the problem.
@alisha can you upload your traces somewhere like pcapr(DOT)net/home beside Bugzilla?
@splinux I'll find out, but I know we're very restricted on where and how we can share our pcaps, so it might not be possible. I'm going to see if I can scrub the IP addresses & other identifying data, and maybe upload then.
Marking this as the answer since it's the closest we can get without being able to upload our data files. I'll file a bug report as suggested and see where it goes.