Hello to all, First time asking question in this forum. In summary: I'm trying to look for PCAP file format/structure to try to decode files containing GSM MAP protocol. I need to identify what are the hexadecimal values that say where begins/ends a packet, where begins/ends a especific parameter or if it is in a fix position with a predefined offset. I'm not sure is a tool exists for something like this. In detail: I look for way to print several parameters from huge pcap files containing GSM MAP protocol messages, for example Timestamp, OPC, DPC, Source IP, Destination IP, SCCP Calling Party, SCCP Called Party based on if field SCCP Called party has certain length. What I've done so far is open the files in Wireshark and export them as CSV, then I post process the file to select the lines that match the condition. But since the files are more than 300 MB in size and I need to do it for several files, is not a practical task and I think if I open the pcap file in binary mode and I know the estructure of the pcap file, I could do it faster and in batch mode analyzing in binary mode. Many thanks for any help. Best regards asked 12 Nov '15, 11:12 cgkmal |
3 Answers:
You might want to look at using TShark with the answered 12 Nov '15, 13:07 Guy Harris ♦♦ |
Hi, these are actually two questions. Answer 1: the .pcap file format is described for example here. Answer 2: some of the information elements you mention (e.g. OPC, DPC) have a fixed length and position within the packet, some don't (e.g. SCCP Calling Party, SCCP Called Party). So while it is enough to take N bytes starting from offset M in the packet to get the former ones, you have to properly decode the protocol tree in order to get the latter ones. The exact position of the fixed place and size elements also depends on the transport protocol (MTP2 or SIGTRAN). Pavel answered 12 Nov '15, 11:28 sindy Hello Pavel, Thanks for answer and link shared. I see from pcap format that header has a fixed length and you mention that to know size and position for opc, dpc depends of transport. Currently the pcap has mtp transport, then, let's say I'm able to isolate the data bytes, then how to know a little bit more about the restructure of this map data?. Do you know where can I look the format(lenght, position) for map parameters? Thanks again (12 Nov '15, 11:46) cgkmal Hi cgkmal, please make clear what you want:
Pavel (13 Nov '15, 02:26) sindy Hi Pavel, Thanks for the ITU link. I've tested with tshark already, the thing is that since I need to process with tshark, then another script to process the output given by tshark and do this for big files and many times. Due to this I thought in ask in order to know a way to process the pcap directly. I found the explanation about pcap format http://www.kroosec.com/2012/10/a-look-at-pcap-file-format.html and I have more clear the escenario that matches with wath you mentioned. This is pcap packets have Global header, section headers of fixed lenght and data is variable. But to understand that packet data is needed to follow what ITU says depending the protocol to decode. Thanks for the help. (13 Nov '15, 11:15) cgkmal |
I think if you open the pcap file with libpcap or WinPcap, you'll be even happier, as you won't have to care about the pcap file format. :-) answered 12 Nov '15, 13:05 Guy Harris ♦♦ Hi Guy, Thanks for the suggestion. I´ve been searching about libpcap and winpcap as you said. It seems it works with C, my knowdledge in C are not the bests hehe. But I haven´t found a good example in how to open o manipulate desired info with winpcap so far. Do you know or have experience with that to give me a start point? Open the pcap with a hex editor I can see the point codes, SCCP callin/called parties but I still don´t know size, position, offset etc to identify where those parameters begin or end. Thanks for the help so far. Regards (12 Nov '15, 22:07) cgkmal |
Thanks Guy for share the tshark options. It works and get info for each packet in one file.