This is our old Q&A Site. Please post any new questions and answers at

Hello everyone.

I've got some question(s) regarding the usage of Lua to unbundle SCTP multi-chunk packets and create custom one-line summaries for each chunk.

The Question(s)

1) Is it possible to use a Lua script to retrieve specific fields within the dissection tree?

I'm thinking of a Lua script because I've seen that it is passed a reference to the dissection tree in some methods.

2a) If no, what other solution do you suggest to navigate the dissection tree?

2b) If yes, should I use a listener, a dissector, a post-dissector, or what else?

For instance, I read on the Wireshark Lua documentation and elsewhere that the dissection tree may not be fully populated the first time a listener is notified.

3) What are the Lua methods to navigate the tree, check the field names, and retrieve their values?

I need to navigate the tree so that I can tell which SCTP chunk (i.e., subtree) a given field (e.g., tcap.tid) belongs to, and assign its value(s) in the one-line summary for that SCTP chunk.

In the rest of the post, I describe the situation I'm in and which led me to ask these questions.

The environment

I'm analyzing SS7 traffic over IP such that the protocol stack for each packet usually looks like this (bottom up):


Of course, not all captured packets feature the whole protocol stack listed above. Some of them are just SCTP control packets, while others feature payloads for (some of) the protocols on top of SCTP as well.

Most importantly, each packet usually features multiple SCTP chunks, so that there are multiple entries on top of SCTP (each one containing payload for some out of M3UA, SCCP, TCAP, GSM MAP, and GSM SMS) for most of the captured packets.

I am working with Tshark 1.8.2 compiled with Lua 5.1. This is the standard Tshark package in Ubuntu 12.10.

The Objective

As part of a project, I need to dissect this SS7 traffic and save to a file a one-line summary for each M3UA, SCCP, TCAP, GSM MAP, and GSM SMS packet with the values of selected fields in their payloads.

The one-line summaries should be tab-separated and contain entries for OPC and DPC, SSNs, TCAP TIDs, IMSIs, and a few other fields.

The Problem

Unfortunately, Wireshark/Tshark does not provide a one-line summary for each SCTP chunk in an SCTP multi-chunk packet.

Consequently, the M3UA, SCCP, TCAP, GSM MAP, and GSM SMS fields of different SCTP chunks in a packet get all listed together when one accesses them using the -T fields and -e options.

At first sight, this makes it impossible to match the values of these fields to the respective SCTP chunk.

A Partial Solution

I developed a partial solution to this problem by using some of the structure in the protocols to infer if a given chunk features a given field, and thus read it off the list of entries for that field returned by the Tshark-generated one-line summaries.

However, this method can get me only so far as it fails if there isn't a (simple) structure in the protocol. For instance, it's impossible to infer which chunk the TCAP transaction IDs belong to, because a chunk can feature one or two transaction IDs, which are both output with the tcap.tid field. Therefore, if I see a packet with two SCTP chunks and three values in tcap.tid, it's impossible to tell which one of the two chunks had two TCAP IDs.

An Alternative Solution

Given the shortcomings of the partial solution described above, I went back to the drawing board and tried to find another solution.

Then I noticed that there is a place where the SCTP chunks are unbundled: The Packet Details Pane. In the packet details, the field values are listed under their respective SCTP chunks. Therefore, by looking at the packet details I can tell which SCTP chunk the TCAP transaction IDs refer to.

I then considered parsing the output generated by Tshark with options -T text and -V (the packet details) to retrieve the required fields for each SCTP chunk and output my own one-line summary for each SCTP chunk.

However, this doesn't sound like good software engineering for several reasons:

  1. It's very time expensive for Tshark to output the packet details even if I use the -O protocols option to select which protocols (e.g., only M3UA, SCCP, TCAP, GSM MAP, and GSM SMS) to generate the details for; and
  2. The output packet details format could change anytime, thus breaking my parser.

With these remarks in mind, I then started looking into Lua scripts, which prompted me to ask the questions above.

Thank you in advance for your help.

asked 11 Apr '13, 08:36

tshark-user's gravatar image

accept rate: 0%

edited 12 Apr '13, 07:14


Short answers:

Re: 1) Yes

Re: 2) Use a tap

Re: 3) Field extractors in some cases as tables

Longer answer:

I've actually did very similar thing to what you've described there.

I've created in lua what was in fact an SCCP/RANAP/ALCAP analyzer that would track UMTS/GSM events calls, SMS'es, PS sessions etc and then rather than printing it out as you are thinking about doing I used luasql and dumped transactions to a database with a little web interface which allowed me to do loads of statistical analysis.

It is was a bit tricky as you basically need to do session tracking ending etc but nonetheless doable.

The problem you've described with multiple tcap.tids is very common

How to get multiple values from items

Multiple instances of a protocol in one frame

Best advise I could give you is to study lua examples on this website.

I'd especially recommend reading answers posted by helloworld his code examples were great help although not directly related to the problem I was trying to solve.

Have fun

permanent link

answered 23 Apr '13, 00:59

izopizo's gravatar image

accept rate: 0%

Thank you for your answer, izopizo. I'll look into the links you provided.

What are the field extractors you're referring to? The all_field_infos() method seems to return all fields, while the selects a specific field. However, none of the them seems to support navigation of the dissection tree.

I would like to be able to navigate the dissection tree just like you can navigate an XML document, so as to read and process fields knowing their relative position in the tree. Among other things, this would enable me to tell between TCAP transaction IDs of different chunks in the same multi-chunk SCTP packet, or distinguish whether an MSISDN in a GSM MAP operation is the device phone number or the network element (say HLR).

Are there any methods in the Lua API that I can use to navigate the dissection tree (starting from the root)?

In the meantime since I asked the question, I developed a solution to my problem using an existing Perl script (also mentioned in this question ) to split multi-chunk SCTP packets into multiple packets, and then process the output of -T fields with my own Python script to reconstruct the TCAP transactions.

If there are indeed methods to navigate the dissection tree in Lua, I'd be glad to port my Python script for TCAP transaction reconstruction to Lua and make it available to the Wireshark community.

Thank you again for your help.

(23 Apr '13, 14:23) tshark-user
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 11 Apr '13, 08:36

question was seen: 5,039 times

last updated: 23 Apr '13, 14:23

p​o​w​e​r​e​d by O​S​Q​A