Wireshark · Ethereal-dev: RE: [Ethereal-dev] tethereal doesn't seem to dissect all layers

Ethereal-dev: RE: [Ethereal-dev] tethereal doesn't seem to dissect all layers

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Michael Lum" <mlum@xxxxxxxxxxxxx>

Date: Thu, 27 Nov 2003 14:48:24 -0800

The stack is:

ANSI A-i/f
BSAP
SCCP
SCCP-Lite
TCP (port 5000)

The SCCP-Lite dissector is proprietary and is built as a plugin.
All of the decodes happen automatically in ethereal (no "Decode As...").

I can see some output from the SCCP-Lite dissector, but none of the
packets that contain SCCP data.

For example, frame 58 should have 4 more layers of dissection:

 57 09:05:47.673156 10.30.109.74 -> 10.30.109.78 MGCP 200 1387 OK
 58 09:05:48.237948 10.30.109.74 -> 10.30.109.78 SCCP-Lite UP  :
 59 09:05:48.330166 10.30.109.78 -> 10.30.109.74 TCP 5000 > 1377 [ACK]
Seq=102055585 Ack=417835624 Win=24616 Len=0
 60 09:05:49.641602 10.30.109.78 -> 10.30.109.77 M2UA BEAT
 61 09:05:49.642658 10.30.109.77 -> 10.30.109.78 M2UA ERR
 62 09:05:49.644073 10.30.109.78 -> 10.30.109.77 SCTP SACK
 63 09:05:50.120304 10.30.109.74 -> 10.30.109.78 SCCP-Lite UP  :
 64 09:05:50.136048 10.30.109.78 -> 10.30.109.74 SCCP-Lite DOWN:

> -----Original Message-----
> From: Guy Harris [mailto:guy@xxxxxxxxxxxx]
> Sent: Thursday, November 27, 2003 2:20 PM
> To: Michael Lum
> Cc: Ethereal
> Subject: Re: [Ethereal-dev] tethereal doesn't seem to dissect all layers
>
>
> On Thu, Nov 27, 2003 at 02:11:29PM -0800, Michael Lum wrote:
> > Is there something special I have to do to get tethereal to
> > dissect all of the protocol layers in the same way as ethereal ?
>
> That depends on what's causing it not to do so.
>
> If you had to do a "Decode As..." to get Ethereal to dissect the
> protocol in question, you'd have to use the "-d" flag in Tethereal to
> achieve the same goal.
>
> If the dissection only occurs on the second pass through the packet(s)
> in question, then either
>
> 	1) there's a bug somewhere such that not enough information is
> 	   available in the first pass to dissect it properly
>
> or
>
> 	2) the information in question is available in the first pass,
> 	   but only *after* the packet(s) in question.
>
> In 1), you'd have to fix the bug, or supply more details so we can try
> to fix it.  In 2), you're out of luck.
>
> > I wrote a tap that is not getting called.  I don't see the protocol
> > dissection happening in tethereal.
>
> What protocol is it, and what protocols is it running atop?

Follow-Ups:
- Re: [Ethereal-dev] tethereal doesn't seem to dissect all layers
  - From: Guy Harris

References:
- Re: [Ethereal-dev] tethereal doesn't seem to dissect all layers
  - From: Guy Harris

Prev by Date: Re: [Ethereal-dev] ethereal performance
Next by Date: Re: [Ethereal-dev] tethereal doesn't seem to dissect all layers
Previous by thread: Re: [Ethereal-dev] tethereal doesn't seem to dissect all layers
Next by thread: Re: [Ethereal-dev] tethereal doesn't seem to dissect all layers
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$