This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

[Malformed Packet: GSM over IP]

Hi, I'm new to WireShark but I have a Windows host with WireShark running and on this host a customised application sending data to another host on port 5000. I can filter the data and use Follow TCP Stream fine and see the applications network data.

However the frames are displayed as

I assume that WireShark is inspecting the frame data and that WireShark thinks that the data inside is a GSM over IP formatted data while it isn't.

Anyway to 'disable' this misleading matching to GSM over IP?

Any help would be greatly appreciated!

Bernd

ip over gsm packet malformed

asked 31 Jan '11, 04:07

BerndN
1●1●2●2
accept rate: 0%

I see this protocols:

GSM SMS GSM SMS UD GSM Um GSM_MAP

Windows Version 1.4.3 from WireShark So thanks for the tip. Somehow I have thought the same before but because I could not find it easily I was confused and thought better to post this here ;)

(31 Jan '11, 04:39) BerndN

Just one more question regarding those frames/packets. I have done some binary editing of old files in Windows. I had files which had a length value after the initial header so that the opening program did know how long the file had to be. But most files had different structures/data structures. I assume that with network packets a lot is also depending on the application creating it. The packets which have been identified by the dissector GSM over IP seems to assume that it finds a checksum at offset 0xnn and that this checksum value should be nnnn instead of 00 00. My understanding is that the header seems similiar to a GSM over IP packet but it is no GSM over IP structure. So to permanently fix it I should write my own, custom dissector?

Thanks for reading and trying to help!

Bernd

(31 Jan '11, 13:02) BerndN

2 Answers:

Goto the menu Analyze|Protocols. This open a dialog with all protocol dissectors. Look for 'GSM over IP' and remove the check mark. Click apply to see what happens.

answered 31 Jan '11, 04:32

Jaap ♦
11.7k●16●101
accept rate: 14%

Thanks Jaap. Doing this change it and all looks fine after it. Are those messages/frames/packets now hidden or have they just changed to 'unnamed' data frames/packets?

(31 Jan '11, 04:48) BerndN

No, the Wireshark 'GSM over IP' dissectors just isn't called any more. it now depends on the other dissectors what does happen.

(31 Jan '11, 12:44) Jaap ♦

Worked for me

(13 Nov '14, 07:56) 4m1r

0	Edit->preferences->protocols->GSM over IP change the TC/UDP ports to 0 or dissable the protocol. answered 31 Jan '11, 04:31 Anders ♦ 4.6k●9●52 accept rate: 17%