Wireshark-users: Re: [Wireshark-users] Hex Stream Decode (SCCP)
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Wed, 23 Jul 2008 09:40:37 -0400
Actually it appears to me that the capture starts at the MTP3 SIO (0x83 is SCCP in a national network). Following your step 1 but substituting this for step 2):
text2pcap -l 141 sccp_hex.txt sccp_hex.pcapresults in a capture file that decodes MTP3, SCCP, TCAP, and GSM MAP portions reasonably (the resulting locationInfoWithLMSI has a country code of South Africa which matches Hoosain's email address so I presume this is a proper decoding).
(Doing this also means you can skip step 3.) Abhik Sarkar wrote:
Hi! Looking at the dump it looks like like messageDump is not an SCCP message, but SCCP payload (a MAP returnError). Do decode this... Step 1) In a plain text file, put the dump as in the following line: 0000 83 28 22 82 d8 09 01 03 0e 19 0b 12 [... and so on until the end of the dump with the 'H in the end, with a space in the end before the EOL and a space in between every byte] Step 2) text2pcap -l 150 pdu.txt pdu.cap Step 3) In Wireshark (version 1.0.x), before opening the file, go to Edit > Preferences > Protocols > DLT_USER > Edit > New Add a mapping for DLT 150 to payload_proto "gsm_map"... save and close all dialog. Step 4) Now, open the generated capture file. Good luck! Abhik. On Tue, Jul 22, 2008 at 10:31 AM, Hoosain Madhi <madhih@xxxxxxxxxxxxx> wrote:Good day We are trying to decode a HEX stream that part of a Q3 message generated on a Siemens STP (SSNC). The output in Q3 format is shown below. The part that we interested in is the messageDump reproduced below for convenience. The Dump is in Hex Format and is actually an SCCP message. We Need to decode this message in a human readable format. 1. Any idea on how to convert to a format that Wireshark will understand? 2. This message may require a dummy MTP layer to be added. 3. Commercial protocol analyzers require a 00000F appended to the beginning of the message. messageDump '83282282d80901030e190b12080011044326926911010b1206001 1047228191063065d645b49045bba830a6b2a2828060700118605010101a01d611b80020780a109060704000001001403a203020100a305a10302010 06c27a225020101302002012d301b040856058123002025f9a00f8107917228194040f704040001a115'H, -- Hoosain Madhi Network Quality - Service Assurance Group Mobile Engineering Vodacom Output in Q3 format ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- M-GET CONFIRMATION ( INVOKE IDENTIFIER 158, LINKED IDENTIFIER 2, MANAGED OBJECT CLASS alarmRecord, MANAGED OBJECT INSTANCE { logId = string : "SCCP_FAI_0", logRecordId = number : 59633 }, CURRENT TIME "20080701142851", ATTRIBUTE LIST { objectClass alarmRecord, nameBinding logRecord-log, managedObjectClass sccpErrorPerformance, managedObjectInstance { communicationsEntityId = "sccp", scrcId = string : "scrc", sccpLinkageId = number : 0, scannerId = 3 }, eventType qualityofServiceAlarm, eventTime "20080701134000", logRecordId number : 59633, loggingTime "20080701134000", packages { thresholdInfoPackage, GAAGDA1C.additionalInformationPackage, eventTimePackage }, probableCause noRuleForAddress, perceivedSeverity warning, thresholdInfo { triggeredThreshold noTranslForSpecificAddress, observedValue integer : 1 }, additionalInformation { { identifier firstAndIntervalEventInfo, information FirstAndIntervalEventInfo : { sccpLinkageLocalName "LOC-NAT0-N1", sccpRoutingDomainName "SRIforSM ", calledPartyAddress { addressIndicator { routingIndicator routeOnGt, globalTitleIndicator ttNpEsNa, ssnIndicator TRUE, pointCodeIndicator FALSE }, addressField { ssn 8, globalTitle { gtTranslationType gtTT : 0, gtNumberingPlan gtNP : iSDNTNP, gtNatureOfAddress gtNoA : international, gtEncodingScheme gtES : bcdODD, gtAddressInformation { '0011'B, '0100'B, '0110'B, '0010'B, '0010'B, '1001'B, '1001'B, '0110'B, '0001'B, '0001'B, '0001'B } } } }, callingPartyAddress { addressIndicator { routingIndicator routeOnGt, globalTitleIndicator ttNpEsNa, ssnIndicator TRUE, pointCodeIndicator FALSE }, addressField { ssn 6, globalTitle { gtTranslationType gtTT : 0, gtNumberingPlan gtNP : iSDNTNP, gtNatureOfAddress gtNoA : international, gtEncodingScheme gtES : bcdODD, gtAddressInformation { '0010'B, '0111'B, '1000'B, '0010'B, '1001'B, '0001'B, '0000'B, '0001'B, '0011'B, '0110'B, '0110'B } } } }, dpc { pointCode bit14 : 8744, netId 1 }, opc { pointCode bit14 : 8712, netId 1 }, ssn 8, messageDump '83282282d80901030e190b12080011044326926911010b1206001 1047228191063065d645b49045bba830a6b2a2828060700118605010101a01d611b80020780a109060704000001001403a203020100a305a10302010 06c27a225020101302002012d301b040856058123002025f9a00f8107917228194040f704040001a115'H, siteId "MP -27 ", userCode 2004126 } } } } ) "This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp " _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-users_______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-users
Attachment:
sccp_hex.pcap
Description: Binary data
- References:
- [Wireshark-users] Hex Stream Decode (SCCP)
- From: Hoosain Madhi
- Re: [Wireshark-users] Hex Stream Decode (SCCP)
- From: Abhik Sarkar
- [Wireshark-users] Hex Stream Decode (SCCP)
- Prev by Date: Re: [Wireshark-users] Re Hex Stream Decode (SCCP)
- Next by Date: Re: [Wireshark-users] Re Hex Stream Decode (SCCP)
- Previous by thread: Re: [Wireshark-users] Hex Stream Decode (SCCP)
- Next by thread: [Wireshark-users] Stat interval with Tshark
- Index(es):