I think the problem is that the packets are encrypted:
FCS: 0x3624af (incorrect, maybe due to ciphering, calculated 0xb5c834)
[...]
.... .... .... ..1. = E bit: encrypted frame
The GPRS-LLC dissector does not hand the payload off to the next
dissector when this is the case.
I suppose in your other (PCAP) captures the data is not encrypted and/or
the checksums are correct.
Marc Lebas wrote:
Hello Jeff,
Enclosed is a small capture file (99 records, 27Kb).
i can provide you with a bigger file if this excerpt does not contain IP frames.
Marc
-----Message d'origine-----
De : wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] De la part de Jeff Morriss
Envoyé : vendredi 27 février 2009 15:53
À : Developer support list for Wireshark
Objet : Re: [Wireshark-dev] decoding depth & capture format
Marc Lebas wrote:
Hello,
Maybe its a User question but that could be a dev issue; anyway there
was no answer to my question on the User's mailing list.
The issue : i got different depth in decoding (GPRS over FR),
depending on the capture file format :
With rf5, the analysis is limited to GPRS protocol layers, but never
decode IP which is the encapsulated protocol.
With libpcap, it is OK; Wireshark go deeper as it is able to decode
encapsulated IP frames in GPRS frames.
Why such a behaviour ? Did i missed something in my config ?
Here is my config on Linux (but the issue is the same on Windows) :
- preferences : fr.encap: GPRS Network Service
- cat k12_protos : "gprs_gb","fr"
Not having ever looked at a GPRS capture in Wireshark, I don't know.
(Small) sample captures would help.
