Wireshark-dev: Re: [Wireshark-dev] decoding depth & capture format

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Mon, 02 Mar 2009 11:28:25 -0500

I think the problem is that the packets are encrypted:

FCS: 0x3624af  (incorrect, maybe due to ciphering, calculated 0xb5c834)

[...]

.... .... .... ..1. = E bit:  encrypted frame

The GPRS-LLC dissector does not hand the payload off to the next dissector when this is the case.

I suppose in your other (PCAP) captures the data is not encrypted and/or the checksums are correct.

Marc Lebas wrote:

Hello Jeff,

Enclosed is a small capture file (99 records, 27Kb). i can provide you with a bigger file if this excerpt does not contain IP frames.

Marc

-----Message d'origine-----
De : wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] De la part de Jeff Morriss
Envoyé : vendredi 27 février 2009 15:53
À : Developer support list for Wireshark
Objet : Re: [Wireshark-dev] decoding depth & capture format



Marc Lebas wrote:

Hello,

Maybe its a User question but that could be a dev issue; anyway there was no answer to my question on the User's mailing list.

The issue : i got different depth in decoding (GPRS over FR), depending on the capture file format : With rf5, the analysis is limited to GPRS protocol layers, but never decode IP which is the encapsulated protocol. With libpcap, it is OK; Wireshark go deeper as it is able to decode encapsulated IP frames in GPRS frames.

Why such a behaviour ? Did i missed something in my config ?
Here is my config on Linux (but the issue is the same on Windows) :
- preferences : fr.encap: GPRS Network Service
- cat k12_protos : "gprs_gb","fr"

Not having ever looked at a GPRS capture in Wireshark, I don't know. (Small) sample captures would help.