Hi all, I want ask about such wireshark 'strange'. when I ran wireshark with normal GUI, and set the filter (by typing in filter bar) with gsmtap, 2 messages had been shown there, unfortunately the content was wrong. But when I ran my wireshark again, load the same file that I used before, but it was run with command line "wireshark -k -f udp -Y gsmtap -i lo". 2 messages can be shown also, the strange is that with this way (command line), seems the packet is well. wireshark show it well. these printscreen has been attached here. anybody can help figure out what going here? how actually wireshark decoding my file with 'strange'.. thanks Bass
asked 16 Jun '15, 02:12  bass edited 16 Jun '15, 03:04 showing 5 of 6 show 1 more comments |
One Answer:
In your capture https://drive.google.com/file/d/0B2PfFt7P5kAgT21WRmFOYjJBMTg/view?usp=sharing we can see that the the destination port was not open, generating ICMP messages containing the GSMTAP packets. This confuses the LAPDm reassembly code that concatenates 5 frames (packets 7, 8, 11, 12, 13) instead of 3 (packets 7, 11 and 13). Eventually the GSMTAP dissector could discard error packets instead of feeding them in LAPDm dissector. In your other capture, there is no ICMP error packets, so reassembly works properly. So what matters here is not really Wireshark command line, but whether you have a program opening the socket or not. answered 18 Jun '15, 06:36  Pascal Quantin edited 18 Jun '15, 06:37 thank you so much for your explanation.. it was really helpful (18 Jun '15, 19:46) bass |
The first assumption is that you are not looking at the same packet: the upper one is a reassembled LAPDm packet of 85 bytes, while the lower one is a reassembled packet of 45 bytes. Moreover the TP-PID and TP-DCS fields also differ. ANy chance to share the pcap?
here is the link: [1] https://drive.google.com/file/d/0B2PfFt7P5kAgZ0xxRU0wY2ZHaXM/view?usp=sharing [2] https://drive.google.com/file/d/0B2PfFt7P5kAgT21WRmFOYjJBMTg/view?usp=sharing
just wondering, why wireshark act different there..
"wireshark -k -f udp -Y gsmtap -i lo" command is starting a new capture, it's not loading an existing file. So I'm not sure to understand what you mean by "But when I ran my wireshark again, load the same file that I used before, but it was run with command line "wireshark -k -f udp -Y gsmtap -i lo"" as here you are doing a new capture and not loading an existing one.
At first glance I would say that you did not look at the same packets between both tries.
The capture files are not identical, different source ports!
those pcap file is a 'result'. actually, I have cfile which is GSM packet, then decoding this cfile using gr-gsm. while decoding process, the result of decoding can be seen through wireshark. however, for this step, of course needed to run wireshark first. when I start wireshark, I did it using normal GUI (click icon, choosing Lo adapter, input filter etc), in another session by command line as mentioned before. using same Gr-GSM and cfile source, but as you see in the pcap file, seems the result different. pardon me for seems miss-information here..
so I just wondering, why the wireshark acts different there,,