Hello to all, I'm using tshark to filter a pcap file using to a csv file output. I'm using a display filter for sccp that works just fine and without any error in GUI of Wireshark, but using the same filter in command line with tshark I get several errors like below. Is there a way to fix this? display filter expression used: sccp.called.digits matches "123456" Thanks for any help asked 27 Nov ‘15, 11:52  cgkmal edited 06 Apr ‘17, 07:13  grahamb ♦ |
One Answer:
What is the encoding of your SMS? Is it UCS2? Could you please provide the pcap (or open a bug on https://bugs.wireshark.org) so that I can have a look at the capture and fix the bug? answered 27 Nov '15, 12:09  Pascal Quantin Definitely open a bug on the Wireshark Bugzilla, and attach a capture to it if possible. (27 Nov '15, 22:28) Guy Harris ♦♦ Hi Sindy, Pascal. Thanks for answer. When I filter with tshark a file of aprox 60 MB appear one or two bug errors mentioning the pasket number for the error. Then I export to a small file a few packets containing the packet associated to the bug, but when I run tshark over this small file the bug doesn't appear. I'm not sure why. (27 Nov '15, 23:29) cgkmal That means that you have to provide the complete 60 MB file when filing the bug, otherwise the developers would not be able to debug the issue and verify that the fix is working. (28 Nov '15, 01:51) sindy
When you run tshark over the file, do you do so with the (28 Nov '15, 12:07) Guy Harris ♦♦ Hi Guy, I not using -v option. Here you can find a sample file to test. I've used a display filter expression with -Y option, but to reproduce the bug is not needed any option, it appears just sending with this small file appears a bug with SCTP and SMS packet. PS: the SMS format inside shows that is UCS2. Thanks for the help. (28 Nov '15, 23:54) cgkmal If you run tshark on the file without (29 Nov '15, 00:40) Guy Harris ♦♦ Please open a bug on this on the Wireshark Bugzilla and attach that capture, so we can track this as a bug. (Among other things, it looks as if we might be incorrectly reassembling the SMS message text from the two fragments.) (29 Nov '15, 00:53) Guy Harris ♦♦ I reported the bug here: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11809 and pushed a fix here: https://code.wireshark.org/review/#/c/12288/ Until a version of the fix is available, you can deactivate reassembly of segmented SMS: Edit -> Preferences -> Protocols -> GSM SMS and uncheck "Reassemble fragmented SMS" (29 Nov '15, 09:00) Pascal Quantin The fix will be part of Wireshark 1.12.9 and 2.0.1 once released. (29 Nov '15, 11:00) Pascal Quantin Thank you Pascal/Guy for your support. I understand the issue is for SMS that have more than one part. I deactivated "Reassemble fragmented SMS" and the red line mentioning a bug in GUI dissapeared and the bug print with tshark dissapeared too. Only remains the line reporting a bug in SCTP "failed assertion "fixed_item->parent == tree" ". Thanks for help to fix and make even better this great software. Regards (30 Nov '15, 07:13) cgkmal Yes there seems to be another bug in SCTP dissector in 1.12.x that is solved in Wireshark 2.0 (this error does not appear with this version). If you consider I have solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information. (30 Nov '15, 07:40) Pascal Quantin showing 5 of 11 show 6 more comments |
Hi @cgkmal, could you share a pcap file which would contain one MAP packet with SMS payload and one without (File -> Export specified packets -> Captured packets -> Range: x, y)?
If you do not need the SMS contents, a workaround for you should be to disable the gsm_sms dissector. To do so, you have to go, in GUI Wireshark, to Analyze -> Enabled protocols, uncheck GSM SMS, press OK and exit Wireshark. The preference is saved to the default profile which tshark uses as well.