This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Get value of the field in every protocol in frame

0

Good day!

May be somebody could explain me how to solve following problem:

I have a set of fields. For example F1,F2,F3,F4. And I have one frame in which there several protocols:

SCTP

MTP3

SCCP

TCAP

CAMEL

And I want to search in every protocl the value of each field (F1,F2,F3,F4). If there is no such field in protocl then get NULL for such field. In other words I want to have following result for my example:

         F1 | F2  | F3  | F4

SCTP | 123 | NIL | 433 | 609

MTP3 | NIL | 234 | 000 | NIL

SCCP | 234 | 123 | NIL | NIL

TCAP | 534 | NIL | NIL | NIL

CAMEL| 32 | 090 | 628 | 3435

Thanks for any help!

This question is marked "community wiki".

asked 20 Aug '15, 23:25

domeno's gravatar image

domeno
216611
accept rate: 0%

I'm afraid I don't understand exactly what you are asking. The SS7 protocol hierarchy is MTP3:SCCP:TCAP:CAMEL (let's leave aside SCTP for the moment). Can you provide an example of protocol fields which you expect to see in two of these protocols? Do you e.g. have in mind the source or destination point code in mtp3 and point code as calling or called address in SCCP?

(16 Aug '16, 07:31) sindy

The main idea in this question was in following: In one frame in pcap file there are more then one chunk. Every chunk has identical structure of the protocols (MTP3 -> SCCP -> TCAP -> CAMEL). For example we want to get in every chunk from protocol SCCP the following field: sccp.calling.digits. But in some chunks this field exists and in some chunks of the same frame this field does not exist. For example:

1 chunnk. sccp.calling.digits=123 2 chunnk. sccp.calling.digits does not exist 3 chunnk. sccp.calling.digits=789 4 chunnk. sccp.calling.digits does not exist

And I want to get the following result after the LUA script: 123 NULL 789 NULL

(17 Aug '16, 03:52) domeno

OK. Put this way it is clear (at least to me), yet I am afraid that what you want to achieve is currently impossible. A lua post-dissector for the whole frame can be created but it cannot get any information about index of the individual PDUs in the frame, so if the first and third PDUs have got a field and the second and fourth haven't, the postdissector would just show two instances of that field but no indication in which PDU it has occurred, i.e. it would do the same what tshark does if you use -E occurrence=a.

So your proxy dissector might be the right place to insert such functionality - it would be registered instead of the original dissector and thus the lower layer dissector would call it for each PDU in the frame. The rough idea is that the proxy dissector would first call the original dissector, and then extract the fields the original one has created, and modify a list it would maintain for each of the fields in question according to the result. But implementing that is far from being easy, as each frame may be dissected several times.

(17 Aug '16, 05:42) sindy

Using the exported PDU functionality and export at OSI level 4 you can dechunk the SCTP layer and then look at the resulting file.

(17 Aug '16, 07:47) Anders ♦

I created proxy protocol to solve this problem. Yes the solution is not beautiful but solves my problem. Thanks!

(18 Aug '16, 07:41) domeno