Wireshark-users: Re: [Wireshark-users] Diameter [Malformed Packet: GTPv2]
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Bo Xu <xubo.leo@xxxxxxxxx>
Date: Fri, 26 Aug 2011 07:50:11 +0800
Hi ,
  
  The unknown vendor id seems not the reason , because this packet which has the 81000 vendor , but there is no

prompt of "Malformed Packet: GTPv2".  I also attached the file .

 I also have tried added all the information in the dictionary.xml ,  nothing is changed .

Diameter Protocol
    Version: 0x01
    Length: 532
    Flags: 0x80
    Command Code: 272 Credit-Control
    ApplicationId: 4
    Hop-by-Hop Identifier: 0xa4481500
    End-to-End Identifier: 0x56b6802f
    [Answer In: 31]
    AVP: Session-Id(263) l=61 f=--- val=shcin.chinatelecom.com;1310710240;231738395;14832:168
    AVP: Origin-Host(264) l=30 f=--- val=shcin.chinatelecom.com
    AVP: Origin-Realm(296) l=24 f=--- val=chinatelecom.com
    AVP: Destination-Realm(283) l=24 f=--- val=chinatelecom.com
    AVP: Auth-Application-Id(258) l=12 f=--- val=Diameter Credit Control (4)
    AVP: Service-Context-Id(461) l=36 f=--- val=version1.in@xxxxxxxxxxxxxxxx
    AVP: CC-Request-Type(416) l=12 f=--- val=INITIAL_REQUEST (1)
    AVP: CC-Request-Number(415) l=12 f=--- val=0
    AVP: Event-Timestamp(55) l=12 f=--- val=Jul 15, 2011 06:25:08.000000000 UTC
    AVP: Subscription-Id(443) l=44 f=---
    AVP: Service-Information(873) l=240 f=V-- vnd=TGPP
        AVP Code: 873 Service-Information
        AVP Flags: 0x80
        AVP Length: 240
        AVP Vendor Id: 3GPP (10415)
        Service-Information: 00004f4c800000e400013c6800004f708000001900013c68...
            AVP: Unknown(20300) l=228 f=V-- vnd=81000 val=00004f708000001900013c68383631353030303937393833...
                AVP Code: 20300 Unknown
                AVP Flags: 0x80
                AVP Length: 228
                AVP Vendor Id: Unknown (81000)
                Value: 00004f708000001900013c68383631353030303937393833...


On Fri, Aug 26, 2011 at 1:46 AM, Anders Broman <a.broman@xxxxxxxxxxxx> wrote:
Bo Xu skrev 2011-08-25 18:21:
Hello  guys ,

         I am very confused that I got "Malformed Packet: GTPv2" in every Diameter (CCR) in version 1.6 . 

   I tried multiple versions of wireshark , I have found that  for the same err_sample.pcap which I have already attached , there is

   no such annoying prompt in version 1.2.16 .   I read the WireShark manual , there is some explanation in this URL.

   http://www.wireshark.org/docs/wsug_html_chunked/AppMessages.html#id622336

   To my understanding , mostly there is something wrong in the packet content . Another proof is that other diameter packet is working

   perfectly with wireshark 1.6.1 version .

   Here comes my question :    does this   AVP(20600)  finally caused the "malformed packet" prompt because there is no data in this AVP?

   Or is there anything wrong with the CCR packet content ? 

   FYI : Diameter Server Port is 6555 ,  and this server connects the multiple clients.

     Service-Information: 00005078c000000c00013c680000036ac000001c000028af...
            AVP: Unknown(20600) l=12 f=VM- vnd=81000
                AVP Code: 20600 Unknown
                AVP Flags: 0xc0
                AVP Length: 12
                AVP Vendor Id: Unknown (81000)
                [No data]
                    [Expert Info (Warn/Undecoded): Data is empty]
                        [Message: Data is empty]
                        [Severity level: Warn]
                        [Group: Undecoded]
            AVP: PS-Information(874) l=28 f=VM- vnd=TGPP
[Malformed Packet: GTPv2]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Message: Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]

BR
Xu Bo

Hi,
Some background, Wireshark dissects Diameter AVP with the help of xml files they can be found in the
diameter directorry. For some AVP:s there is also C code to further dissect "Octet Strings" packet-diameter_3gpp.c.

AVP 20600 with vendor id 81000 is not known to Wireshark, BTW the vendor id should be registered in which case Wireshark would show the vendor. There is no problem with the dissection of this AVP as far as I can tell.
AVP 22 vendor 3GPP "3GPP-User-Location-Info" is specified as Octet String and
/*
 * TS 29.061 v9.2.0
 * 16.4.7.2 Coding 3GPP Vendor-Specific RADIUS attributes
 *
 * For P-GW, the Geographic Location Type values and coding are defined as follows:
 *
 * 0        CGI
 * 1        SAI
 * 2        RAI
 * 3-127    Spare for future use
 * 128      TAI
 * 129      ECGI
 * 130      TAI and ECGI
 * 131-255  Spare for future use
 */
This dissection fails as the content seems no to be correct according to the spec.

Best regards
Anders




___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Attachment: voice_sample.zip
Description: Zip archive