ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] GPRS Conversation

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Mike Morrin" <Mike.Morrin@xxxxxxxxxxxx>
Date: Sun, 19 Sep 2010 09:10:57 +0100
>From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev->bounces@xxxxxxxxxxxxx] On Behalf Of Rick Bywater
>Sent: 17 September 2010 21:41
>To: wireshark-dev@xxxxxxxxxxxxx
>Subject: [Wireshark-dev] GPRS Conversation

>I have been looking into writing code to handle GRPS conversations, but do >not know how to proceed.  The existing conversation code is address/port >based.  In GPRS, conversations between the GSN and mobile equipment are >identified by their TLLI, not the address:port which is delivering the >traffic.  To complicate matters, the TLLI changes over time.  I noted an >exchange on the wireshark-dev (http://www.wireshark.org/lists/wireshark->dev/200906/msg00315.html) which describes a similar situation with one >notable exception - mobility.  I see no means to track a mobile device >across existing BSS-GSN "conversations."

>This problem exists in other cases besides GSM, as well.  Suppose you have >a device, D, access points AP1, AP2, and AP3, and mobile device, MD1.  A >wireshark trace would show conversations between D and AP1, D and AP2, and >D and AP2, and (potentially) 3 conversations between D and MD1 as MD1 moved >between the three access points.  However, there is no mechanism to tie >these together.

>Anyone have a suggestion on how to resolve this?

You may be able to use some of the attached code fragments which were created a while ago while I was trying to fix bug 2857 (which I will get around to eventually).  This code creates a hash table of GPRS streams (identified by SGSN, TLLI, NSAPI and link direction).  It does not attempt to track TLLI changes.  There is no guarantee that it will work, and the TLLI/link-direction harvesting code for nsip is missing (because the nsip dissector was changed since then).

Mike
 





This message contains confidential information and may be privileged. If you are not the intended recipient, please notify the sender and delete the message immediately.

ip.access Ltd, registration number 3400157, Building 2020, 
Cambourne Business Park, Cambourne, Cambridge CB23 6DW, United Kingdom

Attachment: sndcp_diff.zip
Description: sndcp_diff.zip

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube