This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm new to Wireshark and I hope that someone can tell me what I shall do to be able to decode LTE control signaling (headers: RRC, PDCP, etc).

I like to use Wireshark to decode the LTE signaling between eNodeB and UE for which I develope the software myself (i.e. I'm not sending data via the air interface. The signaling from eNodeB to UE is going from one network card to another using two Linux machines). I have added an own header of four bytes before the ASN.1 message (RRC) which is the reason why I can not use the default dissector for RRC in Wireshark. My own header includes information about if the packet is a RACH req/resp or if it is ASN.1 message. I hoped that it was possible to specify in Wireshark in a easy way that there shall be a offset of four bytes before the actual header starts, but that doesn't seem to be the case.

Here below are my questions. If you haven't got answer to all my questions then I would appreciate if you can answer a few of them.

  1. Do I need to write a filter or dissector to be able to decode the RRC-messages ? I assume that I need a dissector to inform Wireshark to skip the 4 bytes header before the ASN.1 message (RRC).

  2. If I write a dissector, can I write a dissector for just my own 4 byte header? Or do I need to rewrite the RRC dissector ? i.e. will the RRC dissector that is included in Wireshark be triggered after the dissector that I write myself ?

  3. If I write a dissector, can I just make a shared object file (.so) that I can put in the plugin folder, or do I need to rebuild the whole Wireshark ? I have read somewhere that there exist a Python script that can be used to build dissectors for RRC from the 3GPP spec, which will rebuild Wireshark. I assume that there exist some easier way to include the updated dissector.

  4. I've tried the foo dissector example but I don't understand how to use it. After I moved the shared object file (.so) to the plugin folder and restarted Wireshark I don't understand how to use the foo dissector. The foo dissector does not pop up in the "Decode As ..." selector. I can see that "foo" is included in the list of enabled protocols in Wireshark.

  5. Will it be possible to decode both RRC and PDCP headers at the same time or will I need separate dissectors for these headers ?

I like to get a detailed instruction for making and installing the dissector, step by step, and I wonder if there exist such an instruction that you can recommend ?

I run Wireshark 1.6.7 on Ubuntu Linux and I installed Wireshark via aptitude.

asked 01 Dec '13, 04:29

staffan's gravatar image

staffan
11112
accept rate: 0%

It should be possible to write a simple dissector for your custom header then call the appropriate RRC dissector with the actual RRC payload. For an example of doing this, see the function dissect_rrc_lte() in http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-catapult-dct2000.c?revision=53520&view=markup. There is no need to re-generate the RRC dissector, just work out which channel/direction and look up the appropriate entry point (assuming you have the necessary information in your header).

If your frames do include PDCP, then you will need to do something similar to the function dissect_pdcp_lte() in the same file, i.e. allocate & fill in a struct pdcp_lte_info and attach it to the frame then call the PDCP dissector with the remainder.

In order for your dissector to get called in the first place, you will need to register for whatever can be used to identify your frames (e.g. a UDP or TCP port, ethertype).

Lastly, 1.6.7 is quite an old version. There is support for the LTE protocols, but there have been lots of improvements since then. There is documentation elsewhere about either building Wireshark yourself for a built-in dissector, or compiling your dissector as a plugin.

Hope this helps, Martin

(02 Dec '13, 01:27) MartinM

I have written a PDCP dissector according to your description. But I did not succeed to create the struct pdcp_lte_info. The p_get_proto_data() functions needs the proto_pdcp_lte id which is declared in packet-pdcp-lte.c so I have done an external declaration of this variable in my file. I can compile my code but when I start wireshark I get a failure with the "undefined symbol:proto_pdcp_lte" cause. Do I need to activate/load/compile the PDCP-LTE module in wireshark? When I look at Internals->Supported protocols in wireshark i can find the PDCP-LTE name in the list so it should be included in my wireshark version (1.10.3). Does someone know how to handle the pdcp_lte_info id correctly or how the pdcp_lte_info structure should be created?

BR

/Emmanuel

Here is my dissector code:

extern int proto_pdcp_lte;

static int
dissect_pdcp (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
    gint offset = 0;
    dissector_handle_t pdcp_lte_handle  = 0;
    pdcp_lte_info *p_pdcp_lte_info;
    unsigned int bearer = 0;

    /* TODO: read the 4 bytes long internal header (the bearer value will be extracted here) */
    offset += 4;

    pdcp_lte_handle = find_dissector("pdcp-lte");
    pdcp_tvb = tvb_new_subset_remaining(tvb, offset);

    /* Reuse or allocate struct */
    p_pdcp_lte_info = (pdcp_lte_info *)p_get_proto_data(pinfo->fd, proto_pdcp_lte);
    if (p_pdcp_lte_info == NULL) {
        p_pdcp_lte_info = se_alloc0(sizeof(struct pdcp_lte_info));
        /* Store info in packet */
        p_add_proto_data(pinfo->fd, proto_pdcp_lte, p_pdcp_lte_info);
    }

    p_pdcp_lte_info->ueid = 0;
    p_pdcp_lte_info->channelType = Channel_DCCH;
    p_pdcp_lte_info->channelId = bearer;
    p_pdcp_lte_info->direction = DIRECTION_UPLINK;

    /* Set plane and sequence number length */
    p_pdcp_lte_info->no_header_pdu = FALSE;
    p_pdcp_lte_info->plane = SIGNALING_PLANE;
    p_pdcp_lte_info->seqnum_length = 5;

    call_dissector(pdcp_lte_handle, pdcp_tvb, pinfo, tree);
}
(13 Jan '14, 03:07) emmanuel

Emmanuel,

If you dissector is built-in, rather than a plugin, this should work, as this is exactly what e.g. packet-rlc-lte.c does. If you are writing a plugin, then I don't think it will work, as you've seen.

For LTE MAC, we added helper functions that mean you don't need to extern the symbol. This is from packet-mac-lte.h:

/ Functions to be called from outside this module (e.g. in a plugin, where mac_lte_info isn't available) to get/set per-packet data / WS_DLL_PUBLIC mac_lte_info get_mac_lte_proto_data(packet_info pinfo); WS_DLL_PUBLIC void set_mac_lte_proto_data(packet_info pinfo, mac_lte_info p_mac_lte_info);

(13 Jan '14, 03:43) MartinM

I meant to say in my reply yesterday - if you are writing a plugin and would like similar exported functions added (as was done for MAC), please raise a bug/request on https://bugs.wireshark.org

(14 Jan '14, 07:19) MartinM
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×36
×14
×5

question asked: 01 Dec '13, 04:29

question was seen: 7,411 times

last updated: 14 Jan '14, 07:19

p​o​w​e​r​e​d by O​S​Q​A