Wireshark-dev: Re: [Wireshark-dev] extracting isup payload from sigtran / ss7 packets
From: Cristian Constantin <const.crist@xxxxxxxxxxxxxx>
Date: Thu, 4 Apr 2013 16:17:20 +0200
On Thu, Apr 4, 2013 at 3:59 PM, Cristian Constantin
<const.crist@xxxxxxxxxxxxxx> wrote:
>
> On Fri, Mar 29, 2013 at 6:19 AM, Hadriel Kaplan <HKaplan@xxxxxxxxxxxxxx> wrote:
>>
>>
>> Hi Cristian - thanks for example script!
>> Comments inline...
>>
>>
>> On Mar 20, 2013, at 1:11 PM, Cristian Constantin <const.crist@xxxxxxxxxxxxxx> wrote:
>>
>> > hi!
>> > I attach a lua script that can extract and dump in a separate file
>> > isup payloads from either sigtran or ss7 packets.
>>
>> Do you have a sample capture file to test it against?  The only ones I have with ISUP don't have the data tag you're exporting.
>
>
> cristian: you mean the pcap has sigtran packets and the test for the m3ua tag number fails?
> I could make the tag number configurable...
>
>
cristian: I have checked the m3ua rfc again.

http://tools.ietf.org/html/rfc4666#section-3.3.1

      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |        Tag = 0x0210           |             Length            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      \                                                               \
      /                        Protocol Data                          /
      \                                                               \
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

[...]

   Protocol Data: variable length

      The Protocol Data parameter contains the original SS7 MTP3
      message, including the Service Information Octet and Routing
      Label.
      The Protocol Data parameter contains the following fields:

         Service Indicator
         Network Indicator
         Message Priority

         Destination Point Code
         Originating Point Code

         Signalling Link Selection Code (SLS)

         User Protocol Data, which includes

            MTP3-User protocol elements (e.g., ISUP, SCCP, or TUP
            parameters)


as far as I can tell one can have isup only in protocol data tags.

the script is also testing for isup data inside the m3ua protocol data
like this:

local m3ua_param_si = Field.new("m3ua.protocol_data_si")
local si = m3ua_param_si()
local si_number = tonumber(tostring(si))
-- check if this is ISUP data
if(tonumber(si_number)==5) then
...


either the script does not properly handle some cases or your pcap
does not have isup in the m3ua protocol data (??).

cristian