This is our old Q&A Site. Please post any new questions and answers at


We have two frames we're looking at in Wireshark. Both have NAS with security header "Integrity Protected and ciphered". In one of them, the rest is decoded as "ciphered message" and in the other one we can see the plain NAS header and the rest of the NAS message. Our question is: How can Wireshark determine how to decode86 the message right after the first security header (looks like it knows somehow if the rest is really ciphered or it's decodable) Thanks, Diana and Rotem

asked 13 Jun '13, 06:16

Dianalab9's gravatar image

accept rate: 0%

There is a basic heuristic: if the first byte following the security header / MAC / sequence number bytes (the one that contains the protocol discriminator / security header) seems to match the beginning of a EMM, ESM or Test Procedure message, then Wireshark attempts to dissect the message.

The idea is to try to differentiate a message with integrity only from a message with integrity + non null ciphering applied.

Of course like every heuristic it has some weaknesses; it could try to dissect a ciphered message.

permanent link

answered 13 Jun '13, 08:49

Pascal%20Quantin's gravatar image

Pascal Quantin
accept rate: 30%

Thanks! that's helps us a lot.

(16 Jun '13, 04:24) Dianalab9
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 13 Jun '13, 06:16

question was seen: 3,772 times

last updated: 16 Jun '13, 10:11

p​o​w​e​r​e​d by O​S​Q​A