Wireshark-users: Re: [Wireshark-users] Hex Stream Decode (SCCP)
From: "Abhik Sarkar" <sarkar.abhik@xxxxxxxxx>
Date: Tue, 22 Jul 2008 11:11:46 +0400
Hi!
Looking at the dump it looks like like messageDump is not an SCCP
message, but SCCP payload (a MAP returnError). Do decode this...
Step 1) In a plain text file, put the dump as in the following line:
0000 83 28 22 82 d8 09 01 03 0e 19 0b 12 [... and so on until the end
of the dump with the 'H in the end, with a space in the end before the
EOL and a space in between every byte]
Step 2) text2pcap -l 150 pdu.txt pdu.cap
Step 3) In Wireshark (version 1.0.x), before opening the file, go to
Edit > Preferences > Protocols > DLT_USER > Edit > New
Add a mapping for DLT 150 to payload_proto "gsm_map"... save and close
all dialog.
Step 4) Now, open the generated capture file.
Good luck!
Abhik.
On Tue, Jul 22, 2008 at 10:31 AM, Hoosain Madhi <madhih@xxxxxxxxxxxxx> wrote:
> Good day
>
> We are trying to decode a HEX stream that part of a Q3 message generated on
> a Siemens STP (SSNC). The output in Q3 format is shown below. The part that
> we interested in is the messageDump reproduced below for convenience. The
> Dump is in Hex Format and is actually an SCCP message. We Need to decode
> this message in a human readable format.
>
> 1. Any idea on how to convert to a format that Wireshark will understand?
> 2. This message may require a dummy MTP layer to be added.
> 3. Commercial protocol analyzers require a 00000F appended to the beginning
> of the message.
>
>
> messageDump
> '83282282d80901030e190b12080011044326926911010b1206001
> 1047228191063065d645b49045bba830a6b2a2828060700118605010101a01d611b80020780a109060704000001001403a203020100a305a10302010
> 06c27a225020101302002012d301b040856058123002025f9a00f8107917228194040f704040001a115'H,
>
> --
> Hoosain Madhi
> Network Quality - Service Assurance
> Group Mobile Engineering
> Vodacom
>
>
>
> Output in Q3 format
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> M-GET CONFIRMATION
> (
> INVOKE IDENTIFIER
> 158,
> LINKED IDENTIFIER
> 2,
> MANAGED OBJECT CLASS
> alarmRecord,
> MANAGED OBJECT INSTANCE
> {
> logId = string :
> "SCCP_FAI_0",
> logRecordId = number :
> 59633
>
> },
> CURRENT TIME
> "20080701142851",
> ATTRIBUTE LIST
> {
> objectClass
> alarmRecord,
> nameBinding
> logRecord-log,
> managedObjectClass
> sccpErrorPerformance,
> managedObjectInstance
> {
> communicationsEntityId =
> "sccp",
> scrcId = string :
> "scrc",
> sccpLinkageId = number :
> 0,
> scannerId =
> 3
>
> },
> eventType
> qualityofServiceAlarm,
> eventTime
> "20080701134000",
> logRecordId number :
> 59633,
> loggingTime
> "20080701134000",
> packages
> {
>
> thresholdInfoPackage,
> GAAGDA1C.additionalInformationPackage,
> eventTimePackage
>
> },
> probableCause
> noRuleForAddress,
> perceivedSeverity
> warning,
> thresholdInfo
> {
> triggeredThreshold
> noTranslForSpecificAddress,
> observedValue integer :
> 1
>
> },
> additionalInformation
> {
>
> {
> identifier
> firstAndIntervalEventInfo,
> information
> FirstAndIntervalEventInfo : {
> sccpLinkageLocalName
> "LOC-NAT0-N1",
> sccpRoutingDomainName
> "SRIforSM ",
> calledPartyAddress
> {
> addressIndicator
> {
> routingIndicator
> routeOnGt,
> globalTitleIndicator
> ttNpEsNa,
> ssnIndicator
> TRUE,
> pointCodeIndicator
> FALSE
>
> },
> addressField
> {
> ssn
> 8,
> globalTitle
> {
>
> gtTranslationType gtTT : 0,
>
> gtNumberingPlan gtNP : iSDNTNP,
>
> gtNatureOfAddress gtNoA : international,
>
> gtEncodingScheme gtES : bcdODD,
>
> gtAddressInformation {
> '0011'B,
> '0100'B, '0110'B, '0010'B, '0010'B, '1001'B,
> '1001'B,
> '0110'B, '0001'B, '0001'B, '0001'B
>
> }
>
> }
>
> }
>
> },
> callingPartyAddress
> {
> addressIndicator
> {
> routingIndicator
> routeOnGt,
> globalTitleIndicator
> ttNpEsNa,
> ssnIndicator
> TRUE,
> pointCodeIndicator
> FALSE
>
> },
> addressField
> {
> ssn
> 6,
> globalTitle
> {
>
> gtTranslationType gtTT : 0,
>
> gtNumberingPlan gtNP : iSDNTNP,
>
> gtNatureOfAddress gtNoA : international,
>
> gtEncodingScheme gtES : bcdODD,
>
> gtAddressInformation {
> '0010'B,
> '0111'B, '1000'B, '0010'B, '1001'B, '0001'B,
> '0000'B,
> '0001'B, '0011'B, '0110'B, '0110'B
>
> }
>
> }
>
> }
>
> },
> dpc
> {
> pointCode bit14 :
> 8744,
> netId
> 1
>
> },
> opc
> {
> pointCode bit14 :
> 8712,
> netId
> 1
>
> },
> ssn
> 8,
> messageDump
> '83282282d80901030e190b12080011044326926911010b1206001
> 1047228191063065d645b49045bba830a6b2a2828060700118605010101a01d611b80020780a109060704000001001403a203020100a305a10302010
> 06c27a225020101302002012d301b040856058123002025f9a00f8107917228194040f704040001a115'H,
> siteId "MP
> -27 ",
> userCode
> 2004126
>
> }
>
> }
>
> }
>
> }
> )
>
> "This e-mail is sent on the Terms and Conditions that can be accessed by
> Clicking on this link http://www.vodacom.co.za/legal/email.jsp "
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
- Follow-Ups:
- Re: [Wireshark-users] Hex Stream Decode (SCCP)
- From: Jeff Morriss
- Re: [Wireshark-users] Hex Stream Decode (SCCP)
- References:
- [Wireshark-users] Hex Stream Decode (SCCP)
- From: Hoosain Madhi
- [Wireshark-users] Hex Stream Decode (SCCP)
- Prev by Date: [Wireshark-users] Hex Stream Decode (SCCP)
- Next by Date: [Wireshark-users] Stat interval with Tshark
- Previous by thread: [Wireshark-users] Hex Stream Decode (SCCP)
- Next by thread: Re: [Wireshark-users] Hex Stream Decode (SCCP)
- Index(es):