asked 06 Oct '17, 12:18
edited 06 Oct '17, 18:57
DLT 162 is USER_15, that is what the file says. That is one step, now Wireshark knows what it is, a user defined encapsulation. What it doesn't know is how to dissect that, because it doesn't know about this user-defined encapsulation, unless you tell it.
That is where the DLT_USER protocol preference comes in. If you look that up in the Wireshark preferences you'll see that you can edit the Encapsulation table. This table lets you define how to dissect user encapsulations.
It starts off with the DLT you use, then the protocol the data should be dissected as.
If your protocol data is wrapped inside a header and/or trailer these can be dissected as well, but these are a bit more exotic situations.
answered 07 Oct '17, 00:56
Thank you. It appears to happen on windows 10.
(09 Oct '17, 08:43) pagan_barr
It's not really clear (at least to me) from your reaction whether you can see the dissected GSM protocol or not after following @Jaap's advice. If not, does your repeated mentioning of Windows 10 mean that you've tried on other OSes as well (other Windows than 10, Linux, Mac OS) and the same pcap file was dissected fine there?
(09 Oct '17, 10:27) sindy
You need to know and configure what protocol should be decoded as user dlt 15. In the user dlt preferences.
DLT USER 15
Did you capture this on the Windows 10 machine?
If so, how did you capture it?
If not, on what machine was it captured, and with what software was it captured? There's no standard for encapsulating GSM packets, so Wireshark might, or might not, be able to be told to decode the traffic as GSM packets, depending on how the packets are encapsulated.