Hi, I have a trace in which there is no SSN present. hence wireshark fails to decode the upper layers of the SCCP users (TCAP). Would it be possible to manually decode the TCAP portion? thanks asked 16 Dec '11, 04:52 chathura edited 16 Dec '11, 06:33 |
One Answer:
Modern (1.6.0 and later, IIRC) versions of Wireshark have a "default payload" SCCP preference. Just type "tcap" here and the SCCP dissector will hand the payload to TCAP even when there's no SSN. answered 16 Dec '11, 07:11 JeffMorriss ♦ |
Hi I have already set the default payload to TCAP in 1.6.4 wireshark version and I still see the data portion not decoded. following is a sample bit stream i am trying to decode.
any help please? 17:19:51,183,649 ETHER |0 |00|a0|a5|68|08|9a|00|00|5e|00|01|03|08|00|45|00|00|b0|c0|9b|40|00|fc|84|1d|5d|cc|1c|ef|08|0c|47|d8|64|5a|64|0b|59|5a|bc|f5|bd|88|22|14|fe|00|03|00|90|00|00|04|bb|00|01|00|16|00|00|00|03|01|00|01|01|00|00|00|80|00|06|00|08|00|00|00|01|02|10|00|6e|00|ee|01|00|00|05|42|1b|03|02|01|ed|09|81|03|0c|15|09|c9|06|0a|91|02|07|87|00|06|09|89|95|0a|41|40|27|95|19|04|44|62|42|48|04|cd|13|02|01|6b|1e|28|1c|06|07|00|11|86|05|01|01|01|a0|11|60|0f|80|02|07|80|a1|09|06|07|04|00|00|01|00|0e|03|6c|1a|a1|18|02|01|01|02|01|38|30|10|80|08|13|60|04|01|51|86|66|f6|02|01|03|83|01|01|00|00|
thanks
(I converted your "answer" into a "comment".)
Can you paste a text2pcap-friendly version of that packet?
Can I assume that it IS decoding up to the SCCP layer, just not TCAP and higher?
Hi, its working now. you need to type in using lower case (tcap) and then only it works. I typed TCAP in uppercase and couldnt see the upper layers getting decoded.
Thanks for the quick response appreciate it.
If the answer answered your question, don't forget to stop by and mark it as Accepted.