Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Decoding raw SCCP packets using Wireshark

From: "James Lee" <james.lee@xxxxxxxxxx>
Date: Fri, 30 Nov 2007 17:41:50 +0000
That's exactly what I was looking for, and does the trick.  Thanks!

On 30/11/2007, Luis EG Ontanon <luis.ontanon@xxxxxxxxx > wrote:
You could use a user dlt and assign sccp to it.

See http://wiki.wireshark.org/HowToDissectAnything


On Nov 30, 2007 1:50 AM, James Lee <james.lee@xxxxxxxxxx> wrote:
> Hi.  I'm trying to use wireshark to decode raw SCCP packets; i.e. the
> contents of an SCCP packet sent over an SS7 link, but where we have only the
> packet from the SCCP layer upwards available (so none of the lower-layer
> protocols like MTP3, MTP2, etc.).
>
> Now I'm trying to do this by outputting the contents of the SCCP message to
> a binary ASCII file, and then running text2pcap over it as follows:
> "text2pcap -l 142 input.txt output.pcap" - where 142 is the value of
> DLT_SCCP which should be the correct link-layer type here I believe?
> Text2pcap is perfectly happy and produces an pcap output file.
>
>
> When I try to load this file in wireshark, I just get an error complaining
> about an unknown link layer type of 142.  For comparison, I've tried running
> the exact same text2pcap command but with "-l 141" (which is DLT_MTP3), and
> wireshark opens the file happily and tries to display an mtp3 packet (though
> the contents is incorrect as this binary file doesn't contain an mtp3
> header).
>
> From this, and from looking at the source code it looks like wireshark
> doesn't support decoding raw SCCP packets unless I'm missing something - is
> this correct?  If so, then is there a simple way for me to be able to use
> wireshark and its associated tools to decode raw SCCP packets?  Can I get
> text2pcap to add a dummy MTP3 header (in the same way as it adds dummy
> UDP/TCP and lower headers to IP traffic)?  Is my only option to get my
> application to output packets including an MTP3 header?  Is there a more
> direct way to get wireshark to decode binary data for a single packet?
>
> Any help would be much appreciated here.
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
>



--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev