This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

pcap anonymisation of msisdn field

0

Hi all, I'm trying, for security reasons, to obfuscate some fields of a pcap file (even if CRC will not be valid) The main approach is described here.

tshark -nr myexample.pcap -T fields -e frame.number -e frame.len -e gsm_map.ss.msisdn
1 138 
2 218 917267415827f2
3 138 
4 138

Using this command, I know that the second frame, len 218 bytes, has a msisdn which must be obfuscated. The "search and modify" will find 917267415827f2 and replace with 91726741582XXX between 139 and 139+218 bytes of pcap files

Now, if I execute

tshark -nr myexample.pcap -R frame.number==2 -2 -T pdml > output.xml

output.xml
<code>
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="pdml2html.xsl"?>
<!– You can find pdml2html.xsl in c:\Programmi\Wireshark or at http://anonsvn.wireshark.org/trunk/wireshark/pdml2html.xsl. –>
<pdml version="0" creator="wireshark/1.10.2" time="Tue Oct 01 21:46:52 2013" capture_file="C:\test\gsm_map_with_ussd_string.pcap">
<packet>
<proto name="geninfo" pos="0" showname="General information" size="218">
</proto>
<proto name="frame" showname="Frame 1: 218 bytes on wire (1744 bits), 218 bytes captured (1744 bits)" size="218" pos="0">
</proto>
<proto name="eth" showname="Ethernet II, Src: 01:01:01:01:01:01 (01:01:01:01:01:01), Dst: 02:02:02:02:02:02 (02:02:02:02:02:02)" size="14" pos="0">
</proto>
<proto name="ip" showname="Internet Protocol Version 4, Src: 1.1.1.1 (1.1.1.1), Dst: 2.2.2.2 (2.2.2.2)" size="20" pos="14">
</proto>
<proto name="sctp" showname="Stream Control Transmission Protocol, Src Port: 2904 (2904), Dst Port: 2904 (2904)" size="28" pos="34">
</proto>
<proto name="m2ua" showname="MTP 2 User Adaptation Layer" size="156" pos="62">
</proto>
<proto name="mtp3" showname="Message Transfer Part Level 3" size="5" pos="74">
</proto>
<proto name="sccp" showname="Signalling Connection Control Part" size="137" pos="79">
</proto>
<proto name="tcap" showname="Transaction Capabilities Application Part" size="108" pos="108">
</proto>
<proto name="gsm_map" showname="GSM Mobile Application" size="38" pos="178">
</proto>
</packet>
</pdml>

we can note that “GSM Mobile Application”, which contains the msisdn, start at byte 178 and the size is 38 byte This means, that the “search and modify” inside the frame can be done between 139+178 and 139+178+38 bytes.

Now the question: Just using tshark, is there a way, maybe using filter -e, to get pos and size of protocol “GSM Mobile Application”?

Thanks, Riccardo

asked 01 Oct ‘13, 13:05

Ric79's gravatar image

Ric79
31449
accept rate: 0%

edited 02 Oct ‘13, 02:05

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

1

Just using tshark, is there a way, maybe using filter -e, to get pos and size of protocol "GSM Mobile Application"?

Only by changing the code of tshark.

Regards
Kurt

answered 02 Oct '13, 00:37

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%