This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Convert the raw data inside Wireshark ?

0

We are planning to make a solution on our Telecom system, that would monitor the signalling messages (e.g. RANAP/CC/MM/SMS, BICC, H..248, MAP, ISUP, INAP/CAP, etc.), which belongs to specific transactions and after post-processing those would be checked in Wireshark.

The raw monitoring data will be stored in the form as they captured from the system, which means

• all the type of signaling data that were involved in the transaction would be in the same monitoring file;

• The monitoring will contain the signaling messages on application layer level, thus all of the layer below the application layer shall be dummy layer, meaning that layer 2 – layer 4 headers and data shall be faked.

My question related to this are the following:

  • Is it a requirement in Wireshark that the messages shall be first sorted out by protocol type into separate files or there could be one file, which contains all the protocol messages ?
  • Could the conversion of raw data into pcap format - and faking the underlayers - be implemented in Wireshark - e.g. as an add-in or part of the dissector ?

Thanks !

asked 25 Jan '12, 00:52

BEGINNER's gravatar image

BEGINNER
1111
accept rate: 0%


One Answer:

0
  1. Wireshark can work out protocol types on its own. Fire it up on your desktop network connection and see the mayhem of mixed protocol message flows. Not a problem.
  2. There are two options to import raw data into Wireshark. There's the command line tool text2pcap, and the GUI import feature. Both can do the same, faking the lower layers. Make sure to read the text2pcap manual page to get an idea of the required input format.

answered 25 Jan '12, 02:29

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thank you !

Still I have further questions:

As the encapsulation type is common - and at at least in the GUI it is not optional - that means that still the protocol types in a source file shall be separated by the type of lower layer used. Is it correct ?

And as I see the dummy layers can be added only for IP, but not for SS7 for example. Has Wireshark solution for faking the lower layers in case of SS7 ?

Thanks !

(27 Jan '12, 04:32) BEGINNER