This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ieee 1722.1 dissect regression

0

It seems that newer versions of wireshark does not dissect/display avdecc/ieee 1722.1 packets. Only the 1722 part of the packets are shown in the newer versions.

Versions tested:
works: 1.12.13 (compiled from source), 1.10.6 (windows)
doesn't work: 2.2.3 (compiled from source), 2.2.3 (ubuntu 14.04)

Using tshark the old version displays:
5 3.703944766 Ieee1722_01:00:00 CadmusCo_e7:27:77 DISCONNECT_RX_COMMAND IEEE1722-1 AVDECC Connection Management Protocol
While the new version displays:
5 3.703944766 Ieee1722_01:00:00 PcsSyste_e7:27:77 IEEE1722 AVB Transportation Protocol

How can I enable the dissection in the new version? IEEE1722.1 is enabled in the list of enabled protocols. There is no option to force decoding as IEEE1722.1.

relevant packet capture
tshark-1.12.13 -r ~/avdecc.pcapng -T text -V > tshark_old.txt
tshark-2.2.3 -r ~/avdecc.pcapng -T text -V > tshark_new.txt

asked 10 Jan '17, 04:23

leon1234's gravatar image

leon1234
11115
accept rate: 0%

edited 10 Jan '17, 05:47

We'll need a capture file to investigate. Can you share a capture in a publicly accessible spot, e.g. CloudShark, Google Drive, Dropbox etc.? Edit your question with a link to the capture.

(10 Jan '17, 04:45) grahamb ♦

Thanks. I've added the relevant dissections as well.

(10 Jan '17, 05:49) leon1234

One Answer:

1

As the dissection of IEEE1722 has been "improved" so that the message type is now an element of dissection rather than text added to the tree, tshark output no longer shows the text you were looking for.

You can fix this by inspecting the packet in the Wireshark GUI (using the default profile), selecting the IEEE 1722.1 Message Type field, right-clicking and selecting "Apply As Column". Running tshark now give me:

5 3.703944766 PcsCompu_e7:27:77 → Ieee1722_01:00:00 IEEE1722-1 70 DISCONNECT_RX_COMMAND AVDECC Connection Management Protocol

You could also use the tshark -T fields -e ieee17221.message_type -e ... options to print out the exact fields you require, but this shows the field numeric value, not the text equivalent.

Note: I'm using 2.3.0, i.e. a dev build.

answered 10 Jan '17, 06:32

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

There is no "IEEE 1722.1 Message Type" field to select in the new GUI. Setting the filter to ieee17221.message_type results in no packets being displayed.

Using tshark -r ~/avdecc.pcapng -T fields -e ieee17221.message_type shows the expected message type using the old version but just blank lines using the new version.

It seems that I'll have to use the dev build or an ancient version together with multiple -e options. This seems wrong given the nice -T json output available for other packets. Should I file a bug report?

(10 Jan '17, 23:10) leon1234

I think it would be best to try a dev build first. Changes to the stable release are meant to be bugfixes only and this falls in a grey area.

If the dev build doesn't produce the required output, then definitely file a bug report.

IMHO I think the dev dissection is wrong as the info column is showing the IEEE 1722 protocol subtype instead of the IEEE 1722.1 message type, I thought the info column should show the "highest" protocol seen, e.g. an HTTP GET, not a TCP frame, but I've no experience about this protocol so can't really say what would be useful.

(11 Jan '17, 02:49) grahamb ♦

The dev build Version 2.3.0 (v2.3.0rc0-2014-gf8dc234) gave me exactly the output I was looking for.

Thanks for the help.

(12 Jan '17, 06:50) leon1234