Hi, I wonder if there is someone that have been able to iterate thourgh a bundled SS7 SCTP packet with tshark and a Lua script. Example of my packet: Frame IP SCTP M3UA SCCP TCAP GSM-MAP SCTP M3UA SCCP TCAP SCTP M3UA SCCP TCAP GSM-MAP So I want to be able to evaluate each M3UA pcaket at the time and be able to get out data from MTP3,SCCP,TCAP and GSM-MAP layer as I can do with a unbundled M3UA packet. For example e212.imsi and tcap.tid I have hard time to match to a particular M3UA packet when analysing a frame with bundled M3UA packets. I have seen some QA on the forum but I can not find any solution that works for me. Thanks /Mattias asked 25 Jun '15, 07:00  Lunken edited 25 Jun '15, 14:50  Hadriel |
One Answer:
I don't think there's any easy/simple answer to this, but there I can think of a way to do it that's fairly complicated... First, are you using a Listener tap or a dissector? It can probably be done either way, but the answer changes slightly depending on which one you do. If you're doing this with a Listener tap, you can tap the M3UA layer, so that your Lua-defined tap.packet() function gets called for each separate M3UA message. So for a given IP packet, let's say IP packet #1, the first time your tap.packet() runs for IP packet #1, you'll only get the various Fields you're interested in for the first M3UA; but unfortunately the second time the tap.packet() is called it will get the Fields from both the first and second M3UA message; and the third time tap.packet() is invoked it will get the Fields from all three messages. So the brute-force way to "fix" that is to keep state information about what Fields tap.packet() has already seen/retrieved for a given IP packet. For example, create a Lua table outside of the tap.packet() function, and within the tap.packet() function add an entry in that table using the frame number as an index of the table, and the value as another sub-table with indexes being the field names, and the value of those field names would be a number representing how many you've already seen. Or if all fields only appear once in a given M3UA message, then you don't need the sub-table of fields names but can instead just have the frame number entry be a number for how many M3UA messages have been processed in this frame. So for example, for IP packet #1 when tap.packet() gets invoked there would be no entry for index "1" in the table so you create it with a value "1", and then use all the Fields you get. The second time tap.packet() is invoked it finds an existing index entry for packet # "1", with a value count of "1", so it updates the value to "2", and it knows to skip the first Field it gets and only use the second. And the third time tap.packet() is called it finds the index packet # "1" entry with a value of "2", which it increments to "3", and knows to skip the first 2 Fields it gets, etc. Just make sure to clear/destroy that table at the end of the file, by defining a tap.reset() function which clears it. answered 25 Jun '15, 15:28 Hadriel |
