This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to display s1ap.gTP_TEID as decimal format?

0

how to display gtp-teid as decimal format? s1ap.gTP-TEID: d7e29a65

asked 16 Oct '13, 16:01

ertsali's gravatar image

ertsali
11113
accept rate: 0%

edited 18 Oct '13, 03:13

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

2 Answers:

3

how to display gtp-teid as decimal format? gTP-TEID: d7e29a65

for that single value: 3621952101

In General: By adding a Lua post dissector that takes the original value and adds a new field for the decimal value.

Here is a very simple (but working) sample code, based on the DnsCat Lua post dissector

File: gtp_ext.lua

-- info
print("gtp postdissector loaded")

– we need these fields from the gtp packets
gtp_teid = Field.new("gtp.teid")


– declare our postdissector
gtp_pd = Proto("gtp_ext","gtp TEID decical converter postdissector")


– our fields
gtp_teid_decimal = ProtoField.uint32("gtp.teid_decimal","GTP TEID in decimal format")
gtp_pd.fields = {gtp_teid_decimal}


– dissect each packet
function gtp_pd.dissector(buffer,pinfo,tree)
local gtpteid  = gtp_teid()


if (gtpteid) then
subtree = tree:add(gtp_pd,"GTP decimal data")
subtree:add(gtp_teid_decimal,tostring(gtpteid))
end
end – end dissector function


– register ourselfs
register_postdissector(gtp_pd)

Place the file gtp_ext.lua (gtp_ext == extended GTP) in the Wireshark installation directory. Then edit init.lua. Add the following line:

dofile(DATA_DIR..“gtp_ext.lua”)

Close Wireshark and open it again. Open a GTP pcap and filter for

gtp.teid

All frames with a gtp.teid will have a new field called

gtp.teid_decimal

You can also use the new field in a display filter, like this:

gtp.teid_decimal > 10000000 or gtp.teid_decimal eq 200000

See the following screenshot

alt text

Have fun!

Regards
Kurt

answered 17 Oct ‘13, 07:41

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 17 Oct ‘13, 09:23

Thanks.. this is awesome but I would like to decode s1ap.gTP_TEID. Please help to modify the coding based on s1ap.gTP_TEID.

(17 Oct ‘13, 15:27) ertsali

Basically: Just replace the string ‘gtp.teid’ in the code with ‘s1ap.gTP_TEID’. Unfortunately I don’t have pcap file with s1ap traffic to test it.

new code:

– info
print("gTP_TEID postdissector loaded")


– we need these fields from the gtp packets
s1ap_gtp_teid = Field.new("s1ap.gTP_TEID")


– declare our postdissector
teid_pd = Proto("teid_decimal","s1ap gTP_TEID decical converter postdissector")


– our fields
s1ap_gtp_teid_decimal = ProtoField.uint32("s1ap.gTP_TEID_decimal","S1AP gTP_TEID in decimal")
teid_pd.fields = {s1ap_gtp_teid_decimal}


– dissect each packet
function teid_pd.dissector(buffer,pinfo,tree)
local s1apgtpteid  = s1ap_gtp_teid()


if (gtpteid) then
subtree = tree:add(teid_pd,"gTP_TEID decimal data")
subtree:add(s1ap_gtp_teid_decimal,tostring(s1apgtpteid))
end
end – end dissector function


– register ourselfs
register_postdissector(teid_pd)
(18 Oct ‘13, 03:11) Kurt Knochner ♦

Cannot work. Please help and download the log via the link. https://skydrive.live.com/?cid=2d4afe2cec0bd503&id=2D4AFE2CEC0BD503%21666&action=Share

(19 Oct ‘13, 02:23) ertsali

O.K. with s1ap it’s not that simple, as there can be several gtp_TEID fields in one frame. So, it’s unclear how the post dissector should show them? Just in the same order as they appeared in the original frame, one after the other?

(21 Oct ‘13, 03:41) Kurt Knochner ♦

I see. Thanks

(21 Oct ‘13, 21:19) ertsali

Kind of speaking to Kurt’s last question, is there a specific end goal in mind here ertsali? Are you trying to correlate the trace file with MME queries, for example? Easy enough to use the above method to just display all the TEIDs, and if also bound to a procedure code I believe the order should always be predictable as well, unless the vendor is doing something odd like passing separate S1AP commands as data chunks in a single packet.

There’s probably easier ways depending on the end goal though. For example, converting the other way from a vendor’s stat file might just be a one-liner script as opposed to breaking out Lua to map Wireshark to the format of a stat or log file.

(21 Oct ‘13, 21:25) Quadratic
showing 5 of 6 show 1 more comments

2

By changing the code in packet-gtp.c, otherwise you have to bring out your calculator.

answered 17 Oct '13, 07:27

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%