This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark can’t decode s1ap message

0

Hi,

I have installed the latest nightly version of Wireshark in my linux box and some fields don't show up correctly. To be more specific, I have tweaked dictionary.xml and some of the fields that were 'unknown', before are now shown correctly. These are some diameter messages.

Problem is that can't find out how to do the same with s1ap messages. Any clue?

Thanks!

Br, Sotiris

asked 24 Mar '16, 01:30

SotirisAnt's gravatar image

SotirisAnt
6112
accept rate: 0%


One Answer:

1

S1AP message decoding is written in C (compiled from the ASN.1 description) and not based on an external file content (like diameter.xml).

The current ASN.1 description being used for S1AP in master branch is v13.1.0 from 2015-12, so it's the latest available on 3GPP web site as of today.

What is you issue exactly? You have some raw value that does not get interpreted? The decoding is wrong? The best way to move forward is probably to fill a bug on our Bugzilla tracking system with a sample pcap attached and a description of your issue.

answered 24 Mar '16, 01:48

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

Hi,

Thank you very much for your response. In a specific S1AP message, there is a new field added in the packet, which is not correctly decoded by Wireshark. This field is shown as "Item 7: unknown(195)", which is not the correct name. Of course subfields of that field are not displayed correctly either.

I had the same issue with some diameter fields, but did overcome it by modifying dictionary.xml file.

(24 Mar '16, 01:59) SotirisAnt

So could you share the pcap?

(24 Mar '16, 02:33) Pascal Quantin

The issue was further discussed in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12286 and the Wireshark version used was not using S1AP v13.1.0 but v12.2.0 that does not support ProSe IEs.

Wireshark 2.1.0 development tree decodes the message properly.

(24 Mar '16, 06:09) Pascal Quantin