This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark cannot dissect MMS packets that don’t begin with Initiate

1

If Wireshark captures packets after Initiate Service (such as Initiate-Request and Initiate-Response), Wireshark dissects the message down to ISO8823 OSI Presentation Protocol, but the presentation data can't be decoded as MMS. How do I get the MMS portion to decode properly?

Network packet:

0000   aa c0 a8 06 c8 aa 00 21 70 6b 0c 67 08 00 45 00  .......!pk.g..E.
0010   00 67 2f bc 40 00 80 06 42 88 c0 a8 03 34 c0 a8  .g/[email protected]
0020   03 c8 0f 75 00 66 2c 00 28 24 ad d8 00 da 50 18  ...u.f,.($....P.
0030   fa e3 88 a6 00 00 03 00 00 3f 02 f0 80 01 00 01  .........?......
0040   00 61 32 30 30 02 01 03 a0 2b a0 29 02 02 01 b5  .a200....+.)....
0050   a4 23 a1 21 a0 1f 30 1d a0 1b a1 19 1a 09 44 45  .#.!..0.......DE
0060   50 35 30 30 4e 53 52 1a 0c 4c 4c 4e 30 24 53 50  P500NSR..LLN0$SP
0070   24 53 47 43 42                                   $SGCB

Dissection result from Wireshark 1.2.9:

ISO 8823 OSI Presentation Protocol
  user-data: fully-encoded-data (1)
    fully-encoded-data: 1 item
      PDV-list
        presentation-context-identifier: 3
      presentation-data-values: single-ASN1-type (0)
        dissector is not available
          Expert Info (Warn/Undecoded): Dissector is not available
            Message: Dissector is not available
            Severity level: Warn
            Group: Undecoded
          single-ASN1-type: A029020201B5A423A121A01F301DA01BA1191A0944455035...

asked 12 Sep '11, 19:21

ylda_ljm0620's gravatar image

ylda_ljm0620
31101013
accept rate: 0%

edited 12 Sep '11, 23:28

helloworld's gravatar image

helloworld
3.1k42041

One Answer:

1

Hi, That is because there is nothing in that packet saying what the data is except the presentation-context-identifier, to know what the presentation-context is the setup information is needed. It might be possible to create "decode as" functionality but no one has written code to do that yet. Regards Anders

answered 12 Sep '11, 21:28

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

re:to know what the presentation-context is the setup information is needed

thanks, but what is your mean? about what setup information?

additonally, mms-ethereal can dissect that packet the same as before. why wireshark (any version) can not?

(12 Sep '11, 21:56) ylda_ljm0620

The information in "initiate-request and initiate-response" is needed to know what the presentation conext is. I would guess that it worked earlier at the expence of some other protocol, missinterpreating someting as MMS.

(12 Sep '11, 22:28) Anders ♦

(please use "add a comment" instead of adding a new answer when responding, see the FAQ for details)

(12 Sep '11, 22:36) SYN-bit ♦♦

sorry, i will add a comment.

initiate-request and initiate-response" means Initiate-RequestPDU and Initiate-ResponsePDU in ISO/FDIS 9506-2.

(12 Sep '11, 23:50) ylda_ljm0620

when 61850 server associates to 61850 client, they have MMS packets, just Initiate-RequestPDU and Initiate-ResponsePDU.

if wireshar is started and captures firstly, and then 61850 server associates to 61850 client, the presentation data can be decoded as MMS.

if 61850 server associates to 61850 client firstly, and then wireshar is started and captures, the presentation data can't be decoded as MMS.

(12 Sep '11, 23:50) ylda_ljm0620

I am sorry. "add a comment" can not let me write follows. so i answer again.

mms-ethereal disscets as :

ISO 8823 OSI Presentation Protocol
  user-data: fully-encoded-data (1)
    fully-encoded-data: 1 item
      Item
        presentation-context-identifier: 3
        presentation-data-values: single-ASN1-type (0)
ISO/IEC 9506 MMS
  Conf Request (0)
  Read (4)
  InvokeID: InvokeID:  437
  Read
        List of Variable
                VariableSpecification
                          Object Name
                                      Domain Specific 
                DomainName:  
                  DomainName: DEP500NSR
                ItemName:  
                  ItemName: LLN0$SP$SGCB

but wireshark1.2.9 dissects as before.
(13 Sep ‘11, 00:01) ylda_ljm0620

Sonds lik eyou should open up a bug report and attach the two examples e.g the one working and the one when it’s not working

(13 Sep ‘11, 05:45) Anders ♦
3

Hi, Go to Edit->preferences->protocol->PRES and edit the users context tale

enter context = 3 and OID = 1.0.9506.2.3 and your trace will be dissected as MMS.

(13 Sep ‘11, 06:39) Anders ♦

Thanks. it works in wireshark interface.

but how to set parameters of “tshark” if i hope to use thark to convert mms packet as before to text.(like the result of ‘enter context = 3 and OID = 1.0.9506.2.3’)

if enter “tshark -r d:sg1.pcap -V -T text > d:sg1.txt”, it will appear “single-ASN1-type: A029020201B5A423A121A01F301DA01BA1191A0944455035…” in text.

(14 Sep ‘11, 01:42) ylda_ljm0620

I think once you set the setting in the wireshark gui, the tshark interface will pick up those changes, as long as you are the same user. I’m on linux and that is what happens for me. But i think you should be able to access that table from tshark directly, but I don’t know the syntax

(14 Sep ‘11, 12:57) iondiode
showing 5 of 10 show 5 more comments