This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to find encoded value in packet?

0

Hi,

In following image, selected filed shows '(0)' in front of field name. I have tried hard to understand where it came from, but not able to get where this 0 is encoded. Is there any way to find it out. It's gsm_map protocol. And its response of ATI message.

Kindly note that image is tampered intentionally to hide information.

alt text In image,

asked 04 Oct '13, 01:10

pranitkothari's gravatar image

pranitkothari
515610
accept rate: 100%


One Answer:

2

GSM MAP uses ASN.1's BER encoding. Try turning on the "Show internal BER encapsulation tokens" option for the BER protocol (in Edit -> Preferences; open up the Protocols list and select BER) and selecting the "subscriberState" field, and it'll show you where the value of 0 is encoded, using BER, for that field.

answered 04 Oct '13, 02:04

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Your answer really helped me. Just wanted to understand what does it means 'GSM MAP uses ASN.1's BER encoding', secondly how to find protocol uses which encoding internally?

(04 Oct '13, 04:11) pranitkothari

See the two links for "ASN.1" and "BER" for a discussion of ASN.1 ("Abstract Syntax Notation 1") and BER (Basic Encoding Rules).

You'd have to find a description of a particular protocol to find what encoding it uses, although turning the "Show internal BER encapsulation tokens" will indicate whether a protocol uses ASN.1 BER (or DER, "Distinguished Encoding Rules", or CER, "Canonical Encoding Rules", which are subsets of BER).

(04 Oct '13, 11:14) Guy Harris ♦♦

@Guy Harris: Thank you very much. It really helped.

(08 Oct '13, 06:31) pranitkothari