This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark: parsing CM Service Request packets

0

I am using tshark to parse capture files of GSM sessions. For particular CM Service Request packets, I wish to determine and output the CM Service Type. I can currently parse Mobility Management messages by filtering with "gsm_a.dtap_msg_mm_type == 0x24" and get all the CM Service Request packets. However, I have not been able to figure out how to output the specific CM Service type for such packets.

I have searched through the online Display Filter Reference, but I have found nothing that can extract the CM Service type (I am using "-T fields -e gsm_a.dtap_msg_mm_type -e etc" to output specific data for the packet).

Is is possible to extract that info with tshark? Any suggestions are appreciated.

Thanks,

John

asked 22 Jan '14, 15:56

jotten's gravatar image

jotten
1111
accept rate: 0%


One Answer:

1

As far as I can see in the code, the 'service type' is only added as text to the tree, so there is no separate field for it.

File: packet-gsm_a_dtap.c

    subtree = proto_item_add_subtree(item, ett_gsm_dtap_elem[DE_CM_SRVC_TYPE]);
switch (oct & 0x0f)
{
case 0x01: str = "Mobile originating call establishment or packet mode connection establishment"; break;
case 0x02: str = "Emergency call establishment"; break;
case 0x04: str = "Short message service"; break;
case 0x08: str = "Supplementary service activation"; break;
case 0x09: str = "Voice group call establishment"; break;
case 0x0a: str = "Voice broadcast call establishment"; break;
case 0x0b: str = "Location Services"; break;
default:
    str = "Reserved";
    break;
}

other_decode_bitfield_value(a_bigbuf, oct, 0x0f, 8);
proto_tree_add_text(subtree,
    tvb, curr_offset, 1,
    "%s = Service Type: (%u) %s",
    a_bigbuf,
    oct & 0x0f,
    str);</code></pre><p>So, if you need to get the service type from tshark output you can</p><ul><li>file an enhancement request at <a href="https://bugs.wireshark.org">https://bugs.wireshark.org</a> and hope one of the developers find some time to add that feature (if possible)</li><li>let tshark print PDML and parse the output yourself (with a script) to get those values:<br />

1.) tshark -nr input.pcap -Y “gsm_a.dtap_msg_mm_type == 0x24” -T pdml | your-script.pl
Not easy, but currently the only option I see.

++ UPDATE ++

as mentioned by @Anders in the comment, that change has already been implemented in the latest 1.11.x build.

@jotten: if you download the lastest 1.11.x build, you should be able to use -e gsm_a.dtap.service_type in tshark.

Regards
Kurt

answered 24 Jan '14, 07:40

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 24 Jan '14, 08:21

Looks like that's implemented in trunk allready, so if on windows downloading a buildboot build is an option.

(24 Jan '14, 08:09) Anders ♦

:-)) You are right. I should have checked trunk. Thanks for the hint!

http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-gsm_a_dtap.c

      { &hf_gsm_a_dtap_service_type, { "Service Type", "gsm_a.dtap.service_type", FT_UINT8, BASE_DEC, VALS(gsm_a_dtap_service_type_vals), 0x0F, NULL, HFILL }},

@jotten: if you download the lastest 1.11.x build, you should be able to use -e gsm_a.dtap.service_type in tshark.

(24 Jan '14, 08:17) Kurt Knochner ♦