This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi all, I'm trying, for security reasons, to obfuscate some fields of a pcap file (even if CRC will not be valid) The main approach is described here.

tshark -nr myexample.pcap -T fields -e frame.number -e frame.len -e gsm_map.ss.msisdn
1 138 
2 218 917267415827f2
3 138 
4 138

Using this command, I know that the second frame, len 218 bytes, has a msisdn which must be obfuscated. The "search and modify" will find 917267415827f2 and replace with 91726741582XXX between 139 and 139+218 bytes of pcap files

Now, if I execute

tshark -nr myexample.pcap -R frame.number==2 -2 -T pdml > output.xml


output.xml

<code> <?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="pdml2html.xsl"?> <!-- You can find pdml2html.xsl in c:\Programmi\Wireshark or at http://anonsvn.wireshark.org/trunk/wireshark/pdml2html.xsl. --> <pdml version="0" creator="wireshark/1.10.2" time="Tue Oct 01 21:46:52 2013" capture_file="C:\test\gsm_map_with_ussd_string.pcap"> <packet> <proto name="geninfo" pos="0" showname="General information" size="218"> </proto> <proto name="frame" showname="Frame 1: 218 bytes on wire (1744 bits), 218 bytes captured (1744 bits)" size="218" pos="0"> </proto> <proto name="eth" showname="Ethernet II, Src: 01:01:01:01:01:01 (01:01:01:01:01:01), Dst: 02:02:02:02:02:02 (02:02:02:02:02:02)" size="14" pos="0"> </proto> <proto name="ip" showname="Internet Protocol Version 4, Src: 1.1.1.1 (1.1.1.1), Dst: 2.2.2.2 (2.2.2.2)" size="20" pos="14"> </proto> <proto name="sctp" showname="Stream Control Transmission Protocol, Src Port: 2904 (2904), Dst Port: 2904 (2904)" size="28" pos="34"> </proto> <proto name="m2ua" showname="MTP 2 User Adaptation Layer" size="156" pos="62"> </proto> <proto name="mtp3" showname="Message Transfer Part Level 3" size="5" pos="74"> </proto> <proto name="sccp" showname="Signalling Connection Control Part" size="137" pos="79"> </proto> <proto name="tcap" showname="Transaction Capabilities Application Part" size="108" pos="108"> </proto>

<proto name="gsm_map" showname="GSM Mobile Application" size="38" pos="178">

</proto> </packet> </pdml>

we can note that "GSM Mobile Application", which contains the msisdn, start at byte 178 and the size is 38 byte This means, that the "search and modify" inside the frame can be done between 139+178 and 139+178+38 bytes.

Now the question: Just using tshark, is there a way, maybe using filter -e, to get pos and size of protocol "GSM Mobile Application"?

Thanks, Riccardo

asked 01 Oct '13, 13:05

Ric79's gravatar image

Ric79
31449
accept rate: 0%

edited 02 Oct '13, 02:05

grahamb's gravatar image

grahamb ♦
19.8k330206


Just using tshark, is there a way, maybe using filter -e, to get pos and size of protocol "GSM Mobile Application"?

Only by changing the code of tshark.

Regards
Kurt

permanent link

answered 02 Oct '13, 00:37

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×238
×1

question asked: 01 Oct '13, 13:05

question was seen: 3,091 times

last updated: 02 Oct '13, 02:05

p​o​w​e​r​e​d by O​S​Q​A