Wireshark-users: [Wireshark-users] LAPD decode problem
From: "Harvey, James B." <Jim.Harvey@xxxxxxxxxxx>
Date: Fri, 17 Jul 2009 08:59:56 -0500
I have traces captured by an Agilent J2300 Advisor.  The protocol is  FTAM over CLNP over LAPD. The Advisor decodes LAPD but no higher.  I have not found a way to convert these trace files to .PCAP directly so I print to file the capture hex only, then massage the print file with TCL to get something I can feed to text2pcap.  Looks like this:

 000000   f8 01 dc 4c 81 3c 01 13 9c 01 bc 00 00 14 39 84 
 000010   0f 80 00 00 00 00 00 00 00 00 01 00 10 cf d2 10 
 000020   c2 1d 14 39 84 0f 80 00 00 00 00 00 00 00 00 01 
 000030   10 b0 c7 03 63 6d 1d 58 2a 00 00 01 bc cd 01 00 
 000040   04 f0 58 01 0d b5 b6 13 77 32 c1 8c 76 60 90 df 
 000050   f9 d5 06 1a 33 4e 4f 4e d8 41 9e 6d 38 0f 5d d3 
 000060   32 28 48 58 08 c9 6c 95 6f 53 90 cb c6 cb 2c c5 
 000070   48 c9 b7 c5 3c 64 bf 6e 92 e1 26 69 3f d3 2e 9b 
 000080   5a 01 9e 87 cb a9 41 73 bd c1 54 50 bd 6b 3f 5e 
 000090   03 ed 27 51 f3 5c 6d 3f 2b c8 39 63 02 bb d3 bd 
 0000a0   9b 58 8c cd f4 55 90 b1 f8 65 d4 5a 72 38 cd 89 
 0000b0   0f 61 7e f2 7c a9 29 af eb ae f9 64 6a c0 89 22 
 0000c0   4f ce 69 a2 52 36 40 8a a5 7e 24 bc 4c 4c 1a 9f 
 0000d0   1c a5 a5 05 d4 24 e1 b0 a5 d8 1e c6 d3 09 28 c9 
 0000e0   b6 9f 15 ec 75 32 34 8e fc a5 40 5e 37 e0 52 11 
 0000f0   7a 56 7d 49 12 d0 4f 3b 0e 52 b3 01 63 57 de c2 
 000100   d4 53 d4 95 bc 9a 7c c1 c6 ae e7 31 49 ba 99 7a 
 000110   e7 97 37 bf 49 b2 57 6d c6 cc d8 af 3c 48 72 81 
 000120   92 c1 c3 04 82 04 00 c6 f1 8d 0e f7 af 1f 0b d7 
 000130   86 c4 f8 fa 06 81 d4 61 e0 c1 ac b9 90 83 1c ea 
 000140   10 d9 c2 f3 bc 24 c6 ae 85 19 35 52 d5 76 73 68 
 000150   4f 3e 5b ca 1a d8 87 d7 4f 4e 70 3b d7 8d 77 43 
 000160   41 1d 09 1e 11 cd 5a b2 b3 f6 5c 7e 7e 0e c3 70 
 000170   15 ba c9 98 7d 7b eb 9a 5c a6 10 6f f2 b1 a5 a4 
 000180   80 6b c9 93 bc cb b9 04 66 e9 39 07 85 4e 72 42 
 000190   29 65 06 e4 ed 42 65 21 e9 24 27 3b cf ff d5 80 
 0001a0   c5 76 7f 58 22 e8 ec ed 8d 0e 64 ce 0f 5e 1e fe 
 0001b0   1c 15 2f 63 e2 d9 a8 74 82 02 d8 be 3d 94 9d e0 
 0001c0   c1 13 

 000000   f8 01 01 dc c8 31 

 000000   fa 01 4e dc 81 3c 01 32 9c 00 41 00 00 14 39 84 
 000010   0f 80 00 00 00 00 00 00 00 00 01 10 b0 c7 03 63 
 000020   6d 1d 14 39 84 0f 80 00 00 00 00 00 00 00 00 01 
 000030   00 10 cf d2 10 c2 1d 4c da 00 00 00 41 cd 01 00 
 000040   04 6f 58 05 0d 90 82 

This is an FTAM data PDU, a LAPD ack, and I think an FTAM ack.  Text2pcap does convert, Wireshark loads but won't decode.  The Analyze -> Decode As menu item is not available so I can't force it.

Anyone have a suggestion how to deal with this?  I am using Wireshark 1.2 on windows XP.

Jim Harvey
============================================================
The information contained in this message may be privileged
and confidential and protected from disclosure. If the reader
of this message is not the intended recipient, or an employee
or agent responsible for delivering this message to the
intended recipient, you are hereby notified that any reproduction,
dissemination or distribution of this communication is strictly
prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and
deleting it from your computer. Thank you. Tellabs
============================================================