This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

problem with tcp/ip decoding

0

Hi, I noticed this question as "problem with tcp/ip decoding", but may be dog is buried elsewhere. I have a streams with asterix radar data. For reading I am using wireshark 1.0.7 with built-in asterix plugin. The decoding gives nothing readable. I have testing streams and the asterix plugin works perfectly for them. What I noticed that in my streams wireshark properly recognize the the TCP and IP header's lengths as 20 bytes but correspondence numbers in the header are wrong:

0000    2c d4 44 8f 44 58 2c d4    44 8f 43 d3 08 00 ***45*** 00
0010    00 4a 65 f5 40 00 80 06    7e b0 0a 01 01 03 0a 01
0020    01 04 0b b9 c4 fd 14 fc    a9 61 63 ca c3 d2 ***50*** 18
0030    f8 8f a6 67 00 00 01 04    30 00 20 f9 17 09 20 84
0040    02 5f 7c 96 21 00 38 20    83 d0 00 00 00 04 0a 5c
0050    30 15 21 00 03 13 00 00

Data bloc starts with the right bye number but asterix cannot recognize that. If somebody has idea please help me manage with this.

p.p If needed some more information I'm ready to give it.

This question is marked "community wiki".

asked 05 Apr '13, 04:38

furna's gravatar image

furna
11223
accept rate: 0%

edited 05 Apr '13, 05:48

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572

One Answer:

0

I am using wireshark 1.0.7 with built-in asterix plugin.

I cannot find any asterix plugin (radar data format) in the standard Wireshark distribution, so I guess that plugin is something proprietary. If that is the case, it is best to answer the developer of that plugin for help.

There are sites with information about that plugin:

http://www.recherche.enac.fr/asterix/doku.php?id=useren
http://code.google.com/p/asterixplugin/

But again, that plugin is not part of the standard Wireshark distribution and any problem with the protocol dissection should be sent to the developers of that plugin.

Regards
Kurt

answered 05 Apr '13, 04:54

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 05 Apr '13, 04:54

Thanks for the answer. Of course I'll try there as well. The French plugin is the exactly what I'm using. But could you comment the difference between the header's lengths. The bolded numbers are the corresponding bytes for IP (0x45) and TCP (0x50) header lengths. But in the Packet Detail Pane these lengths are properly recognized as 20 bytes. Is this a problem or everything is alright?

(05 Apr '13, 05:21) furna

Yes it's alright: the length is a multiple of 32 bits words (see http://en.wikipedia.org/wiki/Ipv4 and http://en.wikipedia.org/wiki/Transmission_Control_Protocol). According to the captures provided with this customized Wireshark 1.0.7 portable version, the plugin is designed to run on top of 802.3 and not TCP/IP. It does not seem to offer the ability to decode the TCP data payload as asterix.

(05 Apr '13, 05:55) Pascal Quantin

Thank you!!!!

(05 Apr '13, 05:58) furna