Wireshark-users: Re: [Wireshark-users] Does WireShark Really Supports All GSM protocols?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 1 Feb 2008 14:18:18 -0800

On Feb 1, 2008, at 1:15 PM, Kokab Naqvi wrote:

I am a wireless GSM engineer. I am using a Data collection Software TEMS Investigation to access a 3G UMTS network for Voice, Video, FTP and HTTP calls through a TEST phone which is connected with my laptop by USB port. Apart of it I am also running the WIRESHARK in parellel to capture the packets.

For FTP and HTTP ( Packet Switch Services ) . It works fine. When I make a FTP or HTTP connection, a new interface called as WAN (PPP/ SLIP) , it creates and I capture the traffic and can see the all the packet information.

The problem is with Circuit Switch calls like Voice and Video. I cannot see any new interface to capture when I make Voice or Video calls. I also tried to see the option for selecting the ports in WIRESHARK so that I could select the port with which my mobile is connected then WIRESHACK might be able to capture the traffic coming in and out of that port.But unfortuantely I was not able to see any option for PORTS.

The answer to the question you ask in the subject line depends on what you mean by "support".

A *very* fundamental thing to bear in mind about Wireshark is that it performs two separate functions:

	1) capturing network traffic;

	2) decoding network traffic.

The fact that Wireshark can capture a given type of network traffic doesn't guarantee that it can completely dissect that traffic, and the fact that Wireshark can dissect a given type of network traffic doesn't guarantee that it can capture that type of traffic.

If some proprietary secret protocol is being sent over TCP on an Ethernet, Wireshark will be able to capture that traffic, but it won't be able to dissect the proprietary protocol, as, given that the protocol is secret, unless somebody's managed to reverse-engineer the protocol, it won't be possible to write a dissector for that protocol.

If Wireshark can read a capture file from some specialized piece of capture hardware, it might be able to dissect all the protocols in that capture file - however, there might not be any hardware on the machine on which Wireshark is running to perform that capture.

In addition, there might be some protocols that can be carried atop multiple other protocols, and Wireshark might be able to capture them when they're carried atop some link layers but not when they're carried atop other link layers.

Unless the firmware on your test phone can be put into a mode where it directly passes a copy of its UMTS traffic to the host over the USB connection, and unless there's a driver for your test phone that allows an application on your machine to read that traffic, it will be impossible to capture it with Wireshark. If such a driver exists, it might be possible to extend libpcap/WinPcap to use that driver, and to have Wireshark be able to read the type of traffic it would get from libpcap/WinPcap.

I suspect your test phone is running the TEMS Pocket software:

	http://www.ericsson.com/solutions/tems/realtime_diagnostics/pocket.shtml

	http://www.ericsson.com/solutions/tems/realtime_diagnostics/downloads/tems_pocket_5.3.pdf

and I didn't see anything obvious there about being able to feed raw traffic to the host. It does appear to have the ability to save some information to a logfile, but I don't know whether that information would be raw traffic or just statistical data. Wireshark doesn't know anything about those logfiles; we'd either need a description of the format of the files, or some of the files plus detailed information about their contents (such as what the content of the captured messages is) so that we can reverse-engineer that frmat, in order to make Wireshark able to read them.