This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello to all,

I'm using tshark to filter a pcap file using to a csv file output. I'm using a display filter for sccp that works just fine and without any error in GUI of Wireshark, but using the same filter in command line with tshark I get several errors like below. Is there a way to fix this?

display filter expression used: sccp.called.digits matches "123456"

Thanks for any help

** (tshark.exe:112236): WARNING **: Dissector bug, protocol GSM SMS, in packet 213753: proto.c:2990: failed assertion "g_utf8_validate(value, -1, ((void *)0))"

** (tshark.exe:109572): WARNING **: Dissector bug, protocol GSM SMS, in packet 217919: proto.c:2990: failed assertion "g_utf8_validate(value, -1, ((void *)0))"

** (tshark.exe:109572): WARNING **: Dissector bug, protocol GSM SMS, in packet 223736: proto.c:2990: failed assertion "g_utf8_validate(value, -1, ((void *)0))"

** (tshark.exe:113252): WARNING **: Dissector bug, protocol GSM SMS, in packet 21200: proto.c:2990: failed assertion "g_utf8_validate(value, -1, ((void *)0))"

** (tshark.exe:113252): WARNING **: Dissector bug, protocol GSM SMS, in packet 202122: proto.c:2990: failed assertion "g_utf8_validate(value, -1, ((void *)0))"

asked 27 Nov '15, 11:52

cgkmal's gravatar image

cgkmal
11226
accept rate: 0%

edited 06 Apr '17, 07:13

grahamb's gravatar image

grahamb ♦
19.8k330206

Hi @cgkmal, could you share a pcap file which would contain one MAP packet with SMS payload and one without (File -> Export specified packets -> Captured packets -> Range: x, y)?

If you do not need the SMS contents, a workaround for you should be to disable the gsm_sms dissector. To do so, you have to go, in GUI Wireshark, to Analyze -> Enabled protocols, uncheck GSM SMS, press OK and exit Wireshark. The preference is saved to the default profile which tshark uses as well.

(27 Nov '15, 14:02) sindy

What is the encoding of your SMS? Is it UCS2? Could you please provide the pcap (or open a bug on https://bugs.wireshark.org) so that I can have a look at the capture and fix the bug?

permanent link

answered 27 Nov '15, 12:09

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

Definitely open a bug on the Wireshark Bugzilla, and attach a capture to it if possible.

(27 Nov '15, 22:28) Guy Harris ♦♦

Hi Sindy, Pascal. Thanks for answer. When I filter with tshark a file of aprox 60 MB appear one or two bug errors mentioning the pasket number for the error. Then I export to a small file a few packets containing the packet associated to the bug, but when I run tshark over this small file the bug doesn't appear. I'm not sure why.

(27 Nov '15, 23:29) cgkmal

That means that you have to provide the complete 60 MB file when filing the bug, otherwise the developers would not be able to debug the issue and verify that the fix is working.

(28 Nov '15, 01:51) sindy

Then I export to a small file a few packets containing the packet associated to the bug, but when I run tshark over this small file the bug doesn't appear.

When you run tshark over the file, do you do so with the -V command-line flag? If not, it might not do a full dissection (to save CPU time) and might not run into that problem, but if you do so with -V, it has to do a full dissection, and if you use a display filter or read filter, it has to do a full dissection.

(28 Nov '15, 12:07) Guy Harris ♦♦

Hi Guy, I not using -v option. Here you can find a sample file to test. I've used a display filter expression with -Y option, but to reproduce the bug is not needed any option, it appears just sending

tshark -r sample.pcap

with this small file appears a bug with SCTP and SMS packet.

PS: the SMS format inside shows that is UCS2.

Thanks for the help.

(28 Nov '15, 23:54) cgkmal

If you run tshark on the file without -V, the error isn't reported. If you run shark on the file with -V, the error is reported.

(29 Nov '15, 00:40) Guy Harris ♦♦

Please open a bug on this on the Wireshark Bugzilla and attach that capture, so we can track this as a bug. (Among other things, it looks as if we might be incorrectly reassembling the SMS message text from the two fragments.)

(29 Nov '15, 00:53) Guy Harris ♦♦

I reported the bug here: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11809 and pushed a fix here: https://code.wireshark.org/review/#/c/12288/

Until a version of the fix is available, you can deactivate reassembly of segmented SMS: Edit -> Preferences -> Protocols -> GSM SMS and uncheck "Reassemble fragmented SMS"

(29 Nov '15, 09:00) Pascal Quantin

The fix will be part of Wireshark 1.12.9 and 2.0.1 once released.

(29 Nov '15, 11:00) Pascal Quantin

Thank you Pascal/Guy for your support. I understand the issue is for SMS that have more than one part. I deactivated "Reassemble fragmented SMS" and the red line mentioning a bug in GUI dissapeared and the bug print with tshark dissapeared too. Only remains the line reporting a bug in SCTP "failed assertion "fixed_item->parent == tree" ". Thanks for help to fix and make even better this great software. Regards

(30 Nov '15, 07:13) cgkmal

Yes there seems to be another bug in SCTP dissector in 1.12.x that is solved in Wireshark 2.0 (this error does not appear with this version).

If you consider I have solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(30 Nov '15, 07:40) Pascal Quantin
showing 5 of 11 show 6 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×13
×1
×1

question asked: 27 Nov '15, 11:52

question was seen: 1,093 times

last updated: 06 Apr '17, 07:13

p​o​w​e​r​e​d by O​S​Q​A