In Wireshark (windows), the same approach in preferences-protocols-user dlts works...
How can I add multiple uat:user_dlts?
The order of the USR_DLT definition is important. In the GUI you can move definitions with the UP/DOWN buttons. The first definition that matches will be taken. So, If I first define DLT=162 in the GUI as MTP3, the frame gets fully dissected. If I first define DLT=162 as PCAP, there is an error, which is obvious, as the file does not contain the right structure.
The same is true for tshark. The order of the -o options is important. If you reverse the order in your example (first mtp3, then pcap), the MTP3 data in the file will be dissected as MTP3. However, it does not make sense to define the same USR_DLT twice in tshark, as only the first matching USR_DLT will be used.
In the GUI however, it might make sense, as the definitions can be prepared in advance. Then, if you need a different definition, you move up the one you need, until it is the first definition.
Example: mtp3 first (although the second definition does not make sense - see above)
tshark -nr usr_dlt.pcap -o "uat:user_dlts:\"User 15 (DLT=162)\",\"mtp3\",\"12\",\"\",\"0\",\"\"" -o "uat:user_dlts:\"User 15 (DLT=162)\",\"pcap\",\"0\",\"\",\"0\",\"\"" -T pdml
Output:
<pdml version="0" creator="wireshark/1.10.2" time="Fri Oct 11 14:07:00 2013" capture_file="usr_dlt.pcap">
<packet>
<proto name="geninfo" pos="0" showname="General information" size="44">
<field name="num" pos="0" show="1" showname="Number" value="1" size="44"/>
<field name="len" pos="0" show="44" showname="Frame Length" value="2c" size="44"/>
<field name="caplen" pos="0" show="44" showname="Captured Length" value="2c" size="44"/>
<field name="timestamp" pos="0" show="Oct 10, 2013 12:22:15.907100000 Westeuropäische Sommerzeit" showname="Captured Time" value="13814
00535.907100000" size="44"/>
</proto>
<proto name="frame" showname="Frame 1: 44 bytes on wire (352 bits), 44 bytes captured (352 bits)" size="44" pos="0">
<field name="frame.encap_type" showname="Encapsulation type: USER 15 (60)" size="0" pos="0" show="60"/>
<field name="frame.time" showname="Arrival Time: Oct 10, 2013 12:22:15.907100000 Westeurop\xc3\xa4ische Sommerzeit" size="0" pos="0" sho="" w="Oct 10, 2013 12:22:15.907100000"/>
<field name="frame.offset_shift" showname="Time shift for this packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
<field name="frame.time_epoch" showname="Epoch Time: 1381400535.907100000 seconds" size="0" pos="0" show="1381400535.907100000"/>
<field name="frame.time_delta" showname="Time delta from previous captured frame: 0.000000000 seconds" size="0" pos="0" show="0.00000000
0"/>
<field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
<field name="frame.time_relative" showname="Time since reference or first frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000
"/>
<field name="frame.number" showname="Frame Number: 1" size="0" pos="0" show="1"/>
<field name="frame.len" showname="Frame Length: 44 bytes (352 bits)" size="0" pos="0" show="44"/>
<field name="frame.cap_len" showname="Capture Length: 44 bytes (352 bits)" size="0" pos="0" show="44"/>
<field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
<field name="frame.ignored" showname="Frame is ignored: False" size="0" pos="0" show="0"/>
<field name="frame.protocols" showname="Protocols in frame: user_dlt:data:mtp3:sccp:ranap" size="0" pos="0" show="user_dlt:data:mtp3:scc
p:ranap"/>
</proto>
<proto name="user_dlt" showname="DLT: 162, Payload: mtp3 (Message Transfer Part Level 3)" size="44" pos="0"/>
<proto name="fake-field-wrapper">
<field name="data" value="000100046d74703300020020">
<field name="data.data" showname="Data: 000100046d74703300020020" size="12" pos="0" show="00:01:00:04:6d:74:70:33:00:02:00:20" value="
000100046d74703300020020"/>
<field name="data.len" showname="Length: 12" size="0" pos="0" show="12"/>
</field>
</proto>
<proto name="mtp3" showname="Message Transfer Part Level 3" size="5" pos="12">
<field name="" show="Service information octet" size="1" pos="12" value="c3">
<field name="mtp3.network_indicator" showname="11.. …. = Network indicator: Reserved for national use (0x03)" size="1" pos="12" show="0x03" value="3" unmaskedvalue="c3"/>
<field name="mtp3.spare" showname="..00 …. = Spare: 0x00" size="1" pos="12" show="0x00" value="0" unmaskedvalue="c3"/>
<field name="mtp3.service_indicator" showname="…. 0011 = Service indicator: SCCP (0x03)" size="1" pos="12" show="0x03" value="3" unm="" askedvalue="c3"/>
</field>
<field name="" show="Routing label" size="4" pos="13" value="319e7b31">
<field name="mtp3.pc" showname="PC: 1518" hide="yes" size="4" pos="13" show="1518" value="319e7b31"/>
<field name="mtp3.pc" showname="PC: 7729" hide="yes" size="4" pos="13" show="7729" value="319e7b31"/>
<field name="mtp3.dpc" showname="…. …. …. …. ..01 1110 0011 0001 = DPC: 7729" size="4" pos="13" show="7729" value="1E31" unmas="" kedvalue="319e7b31"/>
<field name="mtp3.opc" showname="…. 0001 0111 1011 10.. …. …. …. = OPC: 1518" size="4" pos="13" show="1518" value="5EE" unmask="" edvalue="319e7b31"/>
<field name="mtp3.sls" showname="0011 …. …. …. …. …. …. …. = Signalling Link Selector: 3" size="4" pos="13" show="3" val="" ue="3" unmaskedvalue="319e7b31"/>
</field>
</proto>
<proto name="sccp" showname="Signalling Connection Control Part" size="27" pos="17">
<field name="sccp.message_type" showname="Message Type: Data Form 1 (0x06)" size="1" pos="17" show="0x06" value="06"/>
<field name="sccp.dlr" showname="Destination Local Reference: 0x6f5a00" size="3" pos="18" show="0x6f5a00" value="005a6f"/>
<field name="sccp.lr" showname="Local Reference: 0x6f5a00" hide="yes" size="3" pos="18" show="0x6f5a00" value="005a6f"/>
<field name="sccp.more" showname="…. …0 = More data: No more data (0x00)" size="1" pos="21" show="0x00" value="0" unmaskedvalue="00"/>
<field name="sccp.variable_pointer1" showname="Pointer to first Mandatory Variable parameter: 1" size="1" pos="22" show="1" value="01"/>
</proto>
<proto name="ranap" showname="Radio Access Network Application Part" size="20" pos="24">
<field name="per.extension_bit" showname="0… …. Extension Bit: False" hide="yes" size="1" pos="24" show="0" value="0" unmaskedvalue="00"/>
<field name="per.choice_index" showname="Choice Index: 0" hide="yes" size="1" pos="24" show="0" value="00"/>
<field name="ranap.RANAP_PDU" showname="RANAP-PDU: initiatingMessage (0)" size="20" pos="24" show="0" value="000f40100000010017400950220
20000000000f0">
<field name="ranap.initiatingMessage" showname="initiatingMessage" size="20" pos="24" show="" value="">
<field name="ranap.procedureCode" showname="procedureCode: id-CommonID (15)" size="1" pos="25" show="15" value="0f"/>
<field name="per.enum_index" showname="Enumerated Index: 1" hide="yes" size="1" pos="26" show="1" value="40"/>
<field name="ranap.criticality" showname="criticality: ignore (1)" size="1" pos="26" show="1" value="40"/>
<field name="per.open_type_length" showname="Open Type Length: 16" hide="yes" size="1" pos="27" show="16" value="10"/>
<field name="ranap.value" showname="value" size="16" pos="28" show="" value="">
<field name="ranap.CommonID" showname="CommonID" size="16" pos="28" show="" value="">
<field name="per.extension_bit" showname="0… …. Extension Bit: False" hide="yes" size="1" pos="28" show="0" value="0" unmask="" edvalue="00"/>
<field name="per.optional_field_bit" showname=".0.. …. Optional Field Bit: False (protocolExtensions is NOT present)" hide="ye
s" size="1" pos="28" show="0" value="0" unmaskedvalue="00"/>
<field name="per.sequence_of_length" showname="Sequence-Of Length: 1" hide="yes" size="2" pos="29" show="1" value="0001"/>
<field name="ranap.protocolIEs" showname="protocolIEs: 1 item" size="13" pos="31" show="1" value="001740095022020000000000f0">
<field name="" show="Item 0: id-PermanentNAS-UE-ID" size="13" pos="31" value="001740095022020000000000f0">
<field name="ranap.ProtocolIE_Field" showname="ProtocolIE-Field" size="13" pos="31" show="" value="">
<field name="ranap.id" showname="id: id-PermanentNAS-UE-ID (23)" size="2" pos="31" show="23" value="0017"/>
<field name="per.enum_index" showname="Enumerated Index: 1" hide="yes" size="1" pos="33" show="1" value="40"/>
<field name="ranap.criticality" showname="criticality: ignore (1)" size="1" pos="33" show="1" value="40"/>
<field name="per.open_type_length" showname="Open Type Length: 9" hide="yes" size="1" pos="34" show="9" value="09"/>
<field name="ranap.value" showname="value" size="9" pos="35" show="" value="">
<field name="per.extension_bit" showname="0… …. Extension Bit: False" hide="yes" size="1" pos="35" show="0" value="0
" unmaskedvalue="50"/>
<field name="ranap.PermanentNAS_UE_ID" showname="PermanentNAS-UE-ID: iMSI (0)" size="9" pos="35" show="0" value="5022020
000000000f0">
<field name="per.octet_string_length" showname="Octet String Length: 8" hide="yes" size="1" pos="35" show="8" value="5
0"/>
<field name="ranap.iMSI" showname="iMSI: 22020000000000f0" size="8" pos="36" show="22:02:00:00:00:00:00:f0" value="220
20000000000f0"/>
<field name="ranap.imsi_digits" showname="IMSI digits: 222000000000000" size="8" pos="36" show="222000000000000" value="22020000000000f0"/>
</field>
</field>
</field>
</field>
</field>
</field>
</field>
</field>
</field>
</proto>
</packet>
</pdml>
Regards
Kurt
answered 11 Oct ‘13, 05:10
Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%
Thanks a lot!
Sorry, I have now a frame similar to first one ( link text ). It is not mtp3 but bssap.
Windows wireshark is configured as before (link text)
and it is able to decode frame (link text)
With tshark, I do not understand now the right syntax for decoding packet. Could you help me?
Riccardo