This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ISUP/BICC filtering by field in a Lua script

0

Hi.

I've been writing a Lua script to filter ISUP/BICC packets containing certain fields. In pseudo-code:

f = Field.new(f_name)
...
local tap = Listener.new()

function tap.packet(pinfo, tvb) … if f.field() ~= nil then …

where f_name is the Wireshark display filter expression for the given field.

This approach generally works, but some of the fields in my list (“CONNECTED NUMBER”, “ORIGINAL CALLED NUMBER”, “REDIRECTION NUMBER”) do not appear to be associated with a display filter.

Same goes for RANAP/BSSAP protocol (“RP-Originating Address”, “RP-Destination Address”, “Calling Party BCD number”, “Called party BCD number”).

What do you suggest to do?

asked 12 Apr ‘16, 01:55

angian's gravatar image

angian
11114
accept rate: 0%


One Answer:

1

Looking at the ISUP dissector source code it appears that while the dissector does decode the parameters you list it does not put the whole number in a single field; see for example the dissect_isup_connected_number_parameter() function. Compare that function to, say, dissect_isup_calling_party_number_parameter() which, at the end of the function, does a proto_tree_add_string() on the complete number (thus making the called digits a filterable field).

I'd suggest opening a bug report to have these fields added as actual fields; there was recently a lot of work done to avoid this problem (by getting rid of the proto_tree_add_text() function) but these ISUP parameters escaped notice presumably due to the use of a subtree with proto_tree_append_text().

I can't really comment on the RANAP/BSSAP part of the question.

answered 12 Apr '16, 06:32

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

1

For completeness: bug 12334 was opened.

(12 Apr '16, 07:52) JeffMorriss ♦