Wireshark-dev: Re: [Wireshark-dev] extracting isup payload from sigtran / ss7 packets
On Thu, Apr 4, 2013 at 3:59 PM, Cristian Constantin
<const.crist@xxxxxxxxxxxxxx> wrote:
>
> On Fri, Mar 29, 2013 at 6:19 AM, Hadriel Kaplan <HKaplan@xxxxxxxxxxxxxx> wrote:
>>
>>
>> Hi Cristian - thanks for example script!
>> Comments inline...
>>
>>
>> On Mar 20, 2013, at 1:11 PM, Cristian Constantin <const.crist@xxxxxxxxxxxxxx> wrote:
>>
>> > hi!
>> > I attach a lua script that can extract and dump in a separate file
>> > isup payloads from either sigtran or ss7 packets.
>>
>> Do you have a sample capture file to test it against? The only ones I have with ISUP don't have the data tag you're exporting.
>
>
> cristian: you mean the pcap has sigtran packets and the test for the m3ua tag number fails?
> I could make the tag number configurable...
>
>
cristian: I have checked the m3ua rfc again.
http://tools.ietf.org/html/rfc4666#section-3.3.1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Tag = 0x0210 | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Protocol Data /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
[...]
Protocol Data: variable length
The Protocol Data parameter contains the original SS7 MTP3
message, including the Service Information Octet and Routing
Label.
The Protocol Data parameter contains the following fields:
Service Indicator
Network Indicator
Message Priority
Destination Point Code
Originating Point Code
Signalling Link Selection Code (SLS)
User Protocol Data, which includes
MTP3-User protocol elements (e.g., ISUP, SCCP, or TUP
parameters)
as far as I can tell one can have isup only in protocol data tags.
the script is also testing for isup data inside the m3ua protocol data
like this:
local m3ua_param_si = Field.new("m3ua.protocol_data_si")
local si = m3ua_param_si()
local si_number = tonumber(tostring(si))
-- check if this is ISUP data
if(tonumber(si_number)==5) then
...
either the script does not properly handle some cases or your pcap
does not have isup in the m3ua protocol data (??).
cristian