vb.net lte-rrc.bcch.dl.sch dissector HELP

hi grahamb, yes you are right. This output of NQDI (SwissQual tool) and my goal is to use text2pcap+tshark in order to visualize output with my tool as I have so many hex messages like one reported before. Anymore I tried to convert to pcap HEX string reported above without success. Any Suggestion?

hi Sindy, it's exactly I want to do. But I need still your help :) I created in Preference User0 (DLT=147) with Payload protocol lte-rrc.bcch.dl.sch. Afterwards I created example.txt as follow: 000000 00 01 03 27 63 8D DA A4 05 26 D0 73 90 19 00 00 80 48 17 55 A2 A8 2F 62 35 F5 06 0C 000000 Then I launched command: text2pcap example.txt -l USER0 example.pcap and this is output: Input from: example.txt Output to: example.pcap Output format: PCAP Wrote packet of 28 bytes. Read 1 potential packet, wrote 1 packet (68 bytes).

Then I launched: tshark -r example.pcap but I cannot see wht you posted: C:\Program Files\Wireshark>tshark -r example.pcap 1 0.000000 N/A -> N/A N/A 28 Null/Loopback

What is my error? Can I append more HEX in same file in order to obtain a single pcap file and read more BCCH System Information? Thank in advanced Gio

Did you look at the links I gave? https://ask.wireshark.org/questions/28735/decode-sms-bearer-data-hex-string and https://ask.wireshark.org/questions/24474/user_dlt-option-in-tshark are explaining you how to achieve this with the command-line.

Hi Pascal, now I converted example pcap corretly and I can see all IEs with Wireshark. I use your input as follow:

tshark.exe -o "uat:user_dlts:\"User 0 (DLT=147)\",\"lte-rrc.bcch.dl.sch\",\"0\",\"\",\"0\",\"\"" example.pcap

But I obtained error:

Capturing on 'Network wireless 3'
tshark: Invalid capture filter "example.pcap" for interface 'Network wireless 3'.
That string isn't a valid capture filter (syntax error).
See the User's Guide for a description of the capture filter syntax.
0 packets captured

Why? Thank in advanced

that would be because you haven’t specified a -r before the name of the file, so the file name was interpreted as an (invalid) capture filter and instead tshark started capturing on the first available physical interface which happened to be “Network wireless 3”.

Sorry but I’m really a newbie!! with command:

C:\Program Files\Wireshark>tshark.exe -o "uat:user_dlts:"User 0 (DLT=147)","lte-rrc.bcch.dl.sch","0","","0",""" -r example.pcap

Output is: 1 0.000000 -> 28 SystemInformation [ SIB2 ]

But I wolud like to see all IEs

This would have been my answer had Pascal not overtaken me ;-)

You need another option, -V (without any parameters) which makes tshark print the complete dissection of each frame instead of the overview “single line per frame” format which is the default one.

And to answer your sub-question,

Can I append more HEX in same file in order to obtain a single pcap file and read more BCCH System Information?

Sure you can - you convert each frame exactly the same way as described earlier, one frame per line, and put the 00000 as the very last line.

But I haven’t mentioned this initially as I’ve obtained an impression that you wanted to use text2pcap and tshark in a chain as an external dissector you would call from your application. And with -V, each input frame gets converted to a variable number of lines rather than a single one.

So if it is enough for you to record a test run, convert it to pcap as a whole, and use Wireshark for analysis, creation of a single hex dump file is the best approach; if you want to browse the dissected packets using your own application (losing all the power of Wireshark filters), then a single file per frame is better.

using line command

C:\Program Files\Wireshark>tshark.exe -o "uat:user_dlts:"User 0 (DLT=147)","lte-rrc.bcch.dl.sch","0","","0",""" -r -v example.pcap
tshark: "example.pcap" is neither a field nor a protocol name.

Yes, You are right. I want to save into file txt or xml output obtained by tshark in prompts. So I can select two options: first is to visualize all SIB2 or better extract a single IE like ReferenceSignalPower

GREAT!!! Work fine!!! thanks to all!!!

Well, if you can go for xml, then the right way is to replace -V with -T pdml (pdml = Packet Details xML). But beware, it almost expands each bit of the frame into a line of text (exaggerating of course, but not too much).

while if it is really enough for you to extract a single protocol field (in Wireshark vernacular) or a single IE (in SS7 vernacular) per frame, then -T fields -e field.name instead of the -V is your best choice.

Wow, is it possible to extract directly a single IE? I tried to extract referenceSignalPower without success :(

C:\Program Files\Wireshark>tshark.exe -o "uat:user_dlts:"User 0 (DLT=147)","lte-rrc.bcch.dl.sch","0","","0",""" -r example.pcap -T fields -e field.referenceSignalPower
tshark: Some fields aren't valid:
field.referenceSignalPower

Sorry Sindi, when I use command line -e lte.rrc.t300 output of tshark is 1 but reading from wireshark t300 is ms200 (1) So I’m wondering if it is possible to visualize directly ms200 and not 1. Thanks in advanced gio

This is more a question for either the author of the particular dissector or the author of the common output wrappers.

A similar difference between Wireshark and tshark output can be observed now and then for various fields of various protocols. As I am just a power user, not a developer, I am not deep enough into the subject to be able to explain why this happens for some fields and doesn’t for others.

So I’d recommend you to file a bug at Wireshark bugzilla.

The workaround for you is to translate the encoded values into time units yourself (1 = 200 ms, 2 = ?, …)