Hi Abhik
Brilliant. Thank you for the guidance.
I have made the following
changes :
text2pcap -l 141 pdu.txt pdu.cap
(ie. bpf.h : #define DLT_MTP2 141)
and get the following decode
--------------------------------------------------------------------------------------------------------------------------
No. Time Source
Destination Protocol Info
1 2008-07-23 09:38:26.000000 8712
8744 GSM MAP returnResultLast sendRoutingInfoForSM
Frame 1 (128 bytes on wire, 128 bytes captured)
Message Transfer Part Level 3
Signalling Connection Control Part
Transaction Capabilities Application Part
GSM Mobile Application
0000 83 28 22 82 d8 09 01 03 0e 19 0b 12 08 00 11 04 .(".............
0010 43 26 92 69 11 01 0b 12 06 00 11 04 72 28 19 10
C&.i........r(..
0020 63 06 5d 64 5b 49 04 5b ba 83 0a 6b 2a 28 28 06 c.]d[I.[...k*((.
0030 07 00 11 86 05 01 01 01 a0 1d 61 1b 80 02 07 80 ..........a.....
0040 a1 09 06 07 04 00 00 01 00 14 03 a2 03 02 01 00 ................
0050 a3 05 a1 03 02 01 00 6c 27 a2 25 02 01 01 30 20 .......l'.%...0
0060 02 01 2d 30 1b 04 08 56 05 81 23 00 20 25 f9 a0 ..-0...V..#. %..
0070 0f 81 07 91 72 28 19 40 40 f7 04 04 00 01 a1 15 ....r(.@@.......
--------------------------------------------------------------------------------------------------------------------------
The next step is to
use tshark to do the decoding on the command line. Any ideas please for
Linux.
Much appreciated.
Regards
---------
Hoosain Madhi
Network Quality - Service Assurance
Group Mobile Engineering
Vodacom
-------- Original Message --------
Subject: Wireshark-users Digest, Vol 26, Issue 36
From: wireshark-users-request@xxxxxxxxxxxxx
<wireshark-users-request@xxxxxxxxxxxxx>
To: wireshark-users@xxxxxxxxxxxxx <wireshark-users@xxxxxxxxxxxxx>
Date: Tue Jul 22 2008 21:00:02 GMT+0200 (SAST)
Send Wireshark-users mailing list submissions to
wireshark-users@xxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
wireshark-users-request@xxxxxxxxxxxxx
You can reach the person managing the list at
wireshark-users-owner@xxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."
Hi!
Looking at the dump it looks like like messageDump is not an SCCP
message, but SCCP payload (a MAP returnError). Do decode this...
Step 1) In a plain text file, put the dump as in the following line:
0000 83 28 22 82 d8 09 01 03 0e 19 0b 12 [... and so on until the end
of the dump with the 'H in the end, with a space in the end before the
EOL and a space in between every byte]
Step 2) text2pcap -l 150 pdu.txt pdu.cap
Step 3) In Wireshark (version 1.0.x), before opening the file, go to
Edit > Preferences > Protocols > DLT_USER > Edit > New
Add a mapping for DLT 150 to payload_proto "gsm_map"... save and close
all dialog.
Step 4) Now, open the generated capture file.
Good luck!
Abhik.
On Tue, Jul 22, 2008 at 10:31 AM, Hoosain Madhi <madhih@xxxxxxxxxxxxx> wrote:
Good day
We are trying to decode a HEX stream that part of a Q3 message generated on
a Siemens STP (SSNC). The output in Q3 format is shown below. The part that
we interested in is the messageDump reproduced below for convenience. The
Dump is in Hex Format and is actually an SCCP message. We Need to decode
this message in a human readable format.
1. Any idea on how to convert to a format that Wireshark will understand?
2. This message may require a dummy MTP layer to be added.
3. Commercial protocol analyzers require a 00000F appended to the beginning
of the message.
messageDump
'83282282d80901030e190b12080011044326926911010b1206001
1047228191063065d645b49045bba830a6b2a2828060700118605010101a01d611b80020780a109060704000001001403a203020100a305a10302010
06c27a225020101302002012d301b040856058123002025f9a00f8107917228194040f704040001a115'H,
--
Hoosain Madhi
Network Quality - Service Assurance
Group Mobile Engineering
Vodacom
Output in Q3 format
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
M-GET CONFIRMATION
(
INVOKE IDENTIFIER
158,
LINKED IDENTIFIER
2,
MANAGED OBJECT CLASS
alarmRecord,
MANAGED OBJECT INSTANCE
{
logId = string :
"SCCP_FAI_0",
logRecordId = number :
59633
},
CURRENT TIME
"20080701142851",
ATTRIBUTE LIST
{
objectClass
alarmRecord,
nameBinding
logRecord-log,
managedObjectClass
sccpErrorPerformance,
managedObjectInstance
{
communicationsEntityId =
"sccp",
scrcId = string :
"scrc",
sccpLinkageId = number :
0,
scannerId =
3
},
eventType
qualityofServiceAlarm,
eventTime
"20080701134000",
logRecordId number :
59633,
loggingTime
"20080701134000",
packages
{
thresholdInfoPackage,
GAAGDA1C.additionalInformationPackage,
eventTimePackage
},
probableCause
noRuleForAddress,
perceivedSeverity
warning,
thresholdInfo
{
triggeredThreshold
noTranslForSpecificAddress,
observedValue integer :
1
},
additionalInformation
{
{
identifier
firstAndIntervalEventInfo,
information
FirstAndIntervalEventInfo : {
sccpLinkageLocalName
"LOC-NAT0-N1",
sccpRoutingDomainName
"SRIforSM ",
calledPartyAddress
{
addressIndicator
{
routingIndicator
routeOnGt,
globalTitleIndicator
ttNpEsNa,
ssnIndicator
TRUE,
pointCodeIndicator
FALSE
},
addressField
{
ssn
8,
globalTitle
{
gtTranslationType gtTT : 0,
gtNumberingPlan gtNP : iSDNTNP,
gtNatureOfAddress gtNoA : international,
gtEncodingScheme gtES : bcdODD,
gtAddressInformation {
'0011'B,
'0100'B, '0110'B, '0010'B, '0010'B, '1001'B,
'1001'B,
'0110'B, '0001'B, '0001'B, '0001'B
}
}
}
},
callingPartyAddress
{
addressIndicator
{
routingIndicator
routeOnGt,
globalTitleIndicator
ttNpEsNa,
ssnIndicator
TRUE,
pointCodeIndicator
FALSE
},
addressField
{
ssn
6,
globalTitle
{
gtTranslationType gtTT : 0,
gtNumberingPlan gtNP : iSDNTNP,
gtNatureOfAddress gtNoA : international,
gtEncodingScheme gtES : bcdODD,
gtAddressInformation {
'0010'B,
'0111'B, '1000'B, '0010'B, '1001'B, '0001'B,
'0000'B,
'0001'B, '0011'B, '0110'B, '0110'B
}
}
}
},
dpc
{
pointCode bit14 :
8744,
netId
1
},
opc
{
pointCode bit14 :
8712,
netId
1
},
ssn
8,
messageDump
'83282282d80901030e190b12080011044326926911010b1206001
1047228191063065d645b49045bba830a6b2a2828060700118605010101a01d611b80020780a109060704000001001403a203020100a305a10302010
06c27a225020101302002012d301b040856058123002025f9a00f8107917228194040f704040001a115'H,
siteId "MP
-27 ",
userCode
2004126
}
}
}
}
)
"This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.co.za/legal/email.jsp "
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users
This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.co.za/legal/email.jsp
"
|