Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Subject:,Re: Hex Stream Decode (SCCP)

From: Andreas Fink <afink@xxxxxxxxxxxxx>
Date: Fri, 15 Aug 2008 08:24:35 +0200
the 00000000 is the address of a dump. it can be 0000 too I guess.

On 15.08.2008, at 07:52, Hoosain Madhi wrote:

Hi All

I agree with Andreas Fink. His decode makes sense and is relevant.

Just a few questions Andreas:
1. I followed all steps in your email - I still get Unknown Message
2. Why should I use 00000000 in the beginning. What will happen if I use 0000 instead?

My problem is how to get this on the command line with tshark.


Hoosain Madhi
Network Quality - Service Assurance
Group Mobile Engineering
Vodacom

E-Mail : hoosain.madhi@xxxxxxxxxxxxx


-------- Original Message --------
Subject: Wireshark-users Digest, Vol 27, Issue 22
From: wireshark-users-request@xxxxxxxxxxxxx    <wireshark-users-request@xxxxxxxxxxxxx>
To: wireshark-users@xxxxxxxxxxxxx <wireshark-users@xxxxxxxxxxxxx>
Date: Thu Aug 14 2008 16:37:08 GMT+0200 (SAST)
Send Wireshark-users mailing list submissions to
        wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
        https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
        wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
        wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."
  

Subject:
Re: [Wireshark-users] Hex Stream Decode (SCCP)
From:
Hoosain Madhi <madhih@xxxxxxxxxxxxx>
Date:
Thu, 14 Aug 2008 14:18:44 +0200
To:
"wireshark-users@xxxxxxxxxxxxx" <wireshark-users@xxxxxxxxxxxxx>
To:
"wireshark-users@xxxxxxxxxxxxx" <wireshark-users@xxxxxxxxxxxxx>
Hi Wireshark Users In a previous post I was trying to decode a hexdump originating from an STP/VLR. A text2pcap -l 141 sccp_hex.txt sccp_hex.pcap solved my problem in that I was able to import the pcap file into wireshark. I am now trying to decode a messageDump originating on an SGSN, however -l 141 does not work. Any Ideas on what message I am dealing with and how I can decode. The messageDump is reproduced below : e10000000106040f42b04850d1233340d1273945d429374f08000000000000000782117807a40e038b2000f30a40000000002ca48b3a40382647cea 4023a0000000027010000030044624248046000e5d36b1a281806070011860501 0101a00d600ba109060704000001000e036c1ea11c02010102013 83014800802083103715994f7020103050081008301010504765d702ba0068300840204249e5d9e040e66016563a45818846df1f99d07398301018d4402 088945d48b45d48945e083ec04ff75e8ff75e0ff75e4ff75dce84b510000588845d833c08a45c53c097406408845c5eba3c745ecfe0000008d45ec8945dc8d0 5d46000008945e48d05d460
--
Hoosain Madhi
Network Quality - Service Assurance
Group Mobile Engineering
Vodacom
---------------------------------------------------------------------------------------------- From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> Date: Wed, 23 Jul 2008 09:40:37 -0400 Actually it appears to me that the capture starts at the MTP3 SIO (0x83 is SCCP in a national network). Following your step 1 but substituting this for step 2):
text2pcap -l 141 sccp_hex.txt sccp_hex.pcap

results in a capture file that decodes MTP3, SCCP, TCAP, and GSM MAP portions reasonably (the resulting locationInfoWithLMSI has a country code of South Africa which matches Hoosain's email address so I presume this is a proper decoding).
(Doing this also means you can skip step 3.)


----------
Abhik Sarkar wrote:
Hi!

Looking at the dump it looks like like messageDump is not an SCCP
message, but SCCP payload (a MAP returnError). Do decode this...

Step 1) In a plain text file, put the dump as in the following line:
0000 83 28 22 82 d8 09 01 03 0e 19 0b 12 [... and so on until the end
of the dump with the 'H in the end, with a space in the end before the
EOL and a space in between every byte]
Step 2) text2pcap -l 150 pdu.txt pdu.cap
Step 3) In Wireshark (version 1.0.x), before opening the file, go to
Edit > Preferences > Protocols > DLT_USER > Edit > New
Add a mapping for DLT 150 to payload_proto "gsm_map"... save and close
all dialog.
Step 4) Now, open the generated capture file.

Good luck!
Abhik.

On Tue, Jul 22, 2008 at 10:31 AM, Hoosain Madhi <madhih@xxxxxxxxxxxxx> wrote:
Good day

We are trying to decode a HEX stream that part of a Q3 message generated on
a Siemens STP (SSNC). The output in Q3 format is shown below. The part that
we interested in is the messageDump reproduced below for convenience.  The
Dump is in Hex Format and is actually an SCCP message. We Need to decode
this message in a human readable format.

1. Any idea on how to convert to a format that Wireshark will understand?
2. This message may require a dummy MTP layer to be added.
3. Commercial protocol analyzers require a 00000F appended to the beginning
of the message.


                                             messageDump
'83282282d80901030e190b12080011044326926911010b1206001
 1047228191063065d645b49045bba830a6b2a2828060700118605010101a01d611b80020780a109060704000001001403a203020100a305a10302010
 06c27a225020101302002012d301b040856058123002025f9a00f8107917228194040f704040001a115'H,


“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "
Subject:
Re: [Wireshark-users] Hex Stream Decode (SCCP)
From:
Andreas Fink <afink@xxxxxxxxxxxxx>
Date:
Thu, 14 Aug 2008 15:27:55 +0200
To:
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
To:
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
go to wireshark preferences,
select protocol
 select DLT_USER
 add an entry into the encapsulation table
encap = user2 (DLT=149) (or whatever you use in the -l step in text2pcap)
header size =0
header proto = mtp3
trailer size = 0
trailer proto = mtp3
put the following into a text file
00000000 83 28 22 82 d8 09 01 03 0e 19 0b 12 08 00 11 04 43 26 92 69 11 01 0b 12 06 00 11 04 72 28 19 10 63 06 5d 64 5b 49 04 5b ba 83 0a 6b 2a 28 28 06 07 00 11 86 05 01 01 01 a0 1d 61 1b 80 02 07 80 a1 09 06 07 04 00 00 01 00 14 03 a2 03 02 01 00 a3 05 a1 03 02 01 00 6c 27 a2 25 02 01 01 30 20 02 01 2d 30 1b 04 08 56 05 81 23 00 20 25 f9 a0 0f 81 07 91 72 28 19 40 40 f7 04 04 00 01 a1 15 
(this is a address nuber 000000 + all your bytes separated with spaces, all on one line)
run
text2pcap -l 149 textfile binary.cap
open binary.cap in wireshark.
that worked for me.
the message is a response to a SendRoutingInfoForSM. It comes from a HLR, not a VLR.
On 14.08.2008, at 14:18, Hoosain Madhi wrote:
Hi Wireshark Users In a previous post I was trying to decode a hexdump originating from an STP/VLR. A text2pcap -l 141 sccp_hex.txt sccp_hex.pcap solved my problem in that I was able to import the pcap file into wireshark. I am now trying to decode a messageDump originating on an SGSN, however -l 141 does not work. Any Ideas on what message I am dealing with and how I can decode. The messageDump is reproduced below : e10000000106040f42b04850d1233340d1273945d429374f08000000000000000782117807a40e038b2000f30a40000000002ca48b3a40382647cea 4023a0000000027010000030044624248046000e5d36b1a281806070011860501 0101a00d600ba109060704000001000e036c1ea11c02010102013 83014800802083103715994f7020103050081008301010504765d702ba0068300840204249e5d9e040e66016563a45818846df1f99d07398301018d4402 088945d48b45d48945e083ec04ff75e8ff75e0ff75e4ff75dce84b510000588845d833c08a45c53c097406408845c5eba3c745ecfe0000008d45ec8945dc8d0 5d46000008945e48d05d460
--
Hoosain Madhi
Network Quality - Service Assurance
Group Mobile Engineering
Vodacom
---------------------------------------------------------------------------------------------- From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> Date: Wed, 23 Jul 2008 09:40:37 -0400 Actually it appears to me that the capture starts at the MTP3 SIO (0x83 is SCCP in a national network). Following your step 1 but substituting this for step 2):
text2pcap -l 141 sccp_hex.txt sccp_hex.pcap

results in a capture file that decodes MTP3, SCCP, TCAP, and GSM MAP portions reasonably (the resulting locationInfoWithLMSI has a country code of South Africa which matches Hoosain's email address so I presume this is a proper decoding).
(Doing this also means you can skip step 3.)


----------
Abhik Sarkar wrote:
Hi!

Looking at the dump it looks like like messageDump is not an SCCP
message, but SCCP payload (a MAP returnError). Do decode this...

Step 1) In a plain text file, put the dump as in the following line:
0000 83 28 22 82 d8 09 01 03 0e 19 0b 12 [... and so on until the end
of the dump with the 'H in the end, with a space in the end before the
EOL and a space in between every byte]
Step 2) text2pcap -l 150 pdu.txt pdu.cap
Step 3) In Wireshark (version 1.0.x), before opening the file, go to
Edit > Preferences > Protocols > DLT_USER > Edit > New
Add a mapping for DLT 150 to payload_proto "gsm_map"... save and close
all dialog.
Step 4) Now, open the generated capture file.

Good luck!
Abhik.

On Tue, Jul 22, 2008 at 10:31 AM, Hoosain Madhi <madhih@xxxxxxxxxxxxx> wrote:
Good day

We are trying to decode a HEX stream that part of a Q3 message generated on
a Siemens STP (SSNC). The output in Q3 format is shown below. The part that
we interested in is the messageDump reproduced below for convenience.  The
Dump is in Hex Format and is actually an SCCP message. We Need to decode
this message in a human readable format.

1. Any idea on how to convert to a format that Wireshark will understand?
2. This message may require a dummy MTP layer to be added.
3. Commercial protocol analyzers require a 00000F appended to the beginning
of the message.


                                             messageDump
'1


“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "
_______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-users

Subject:
Re: [Wireshark-users] Hex Stream Decode (SCCP)
From:
Luis EG Ontanon <luis@xxxxxxxxxxx>
Date:
Thu, 14 Aug 2008 16:07:21 +0200
To:
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
To:
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
The encapsulating protocol is sscf-nni (ATM, AAL5 and SSCOP were
stripped already) so you need to:

text2pcap -l 160 sccp.txt sccp.pcap

Then you have to add to Protocols->DLT_USER->EncapsulationsTable an
entry for  DLT=160 (USER12) to use  sscf-nni as payload protocol.

--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan


Subject:
Re: [Wireshark-users] Hex Stream Decode (SCCP)
From:
Luis EG Ontanon <luis@xxxxxxxxxxx>
Date:
Thu, 14 Aug 2008 16:26:19 +0200
To:
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
To:
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
No it isn't sscf-nni!

I see no potential MTP3 header (SI=3) followed by anything that can be
a valid SCCP message.

What protocol is supposed to be in there?
Are they more packets or just one?
Which are OPC and DPC? (to try to look for a valid routing label)



My sensation is that you are logging internal signals and these
contain no protocol data but an internal representation of it (unknown
to the most).

\Lego


On Thu, Aug 14, 2008 at 4:07 PM, Luis EG Ontanon <luis@xxxxxxxxxxx> wrote:
The encapsulating protocol is sscf-nni (ATM, AAL5 and SSCOP were
stripped already) so you need to:

text2pcap -l 160 sccp.txt sccp.pcap

Then you have to add to Protocols->DLT_USER->EncapsulationsTable an
entry for  DLT=160 (USER12) to use  sscf-nni as payload protocol.

--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan


--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan


Subject:
Re: [Wireshark-users] Hex Stream Decode (SCCP)
From:
AMEAUME ALAIN <Alain.Ameaume@xxxxxxxxxxxxxxxxx>
Date:
Thu, 14 Aug 2008 16:30:46 +0200
To:
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
To:
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Hi,
 
I wonder if you are realy looking something between VLR and SGSN ? if yes , it should be BSSAP+ protocol on Gs interface .
 
Regards,
Alain.
De : wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] De la part de Hoosain Madhi Envoyé : jeudi 14 août 2008 14:19 À : wireshark-users@xxxxxxxxxxxxx Objet : Re: [Wireshark-users] Hex Stream Decode (SCCP)
Hi Wireshark Users In a previous post I was trying to decode a hexdump originating from an STP/VLR. A text2pcap -l 141 sccp_hex.txt sccp_hex.pcap solved my problem in that I was able to import the pcap file into wireshark. I am now trying to decode a messageDump originating on an SGSN, however -l 141 does not work. Any Ideas on what message I am dealing with and how I can decode. The messageDump is reproduced below : e10000000106040f42b04850d1233340d1273945d429374f08000000000000000782117807a40e038b2000f30a40000000002ca48b3a40382647cea 4023a0000000027010000030044624248046000e5d36b1a281806070011860501 0101a00d600ba109060704000001000e036c1ea11c02010102013 83014800802083103715994f7020103050081008301010504765d702ba0068300840204249e5d9e040e66016563a45818846df1f99d07398301018d4402 088945d48b45d48945e083ec04ff75e8ff75e0ff75e4ff75dce84b510000588845d833c08a45c53c097406408845c5eba3c745ecfe0000008d45ec8945dc8d0 5d46000008945e48d05d460
--
Hoosain Madhi
Network Quality - Service Assurance
Group Mobile Engineering
Vodacom
---------------------------------------------------------------------------------------------- From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> Date: Wed, 23 Jul 2008 09:40:37 -0400 Actually it appears to me that the capture starts at the MTP3 SIO (0x83 is SCCP in a national network). Following your step 1 but substituting this for step 2):
text2pcap -l 141 sccp_hex.txt sccp_hex.pcap

results in a capture file that decodes MTP3, SCCP, TCAP, and GSM MAP portions reasonably (the resulting locationInfoWithLMSI has a country code of South Africa which matches Hoosain's email address so I presume this is a proper decoding).
(Doing this also means you can skip step 3.)


----------
Abhik Sarkar wrote:
Hi!

Looking at the dump it looks like like messageDump is not an SCCP
message, but SCCP payload (a MAP returnError). Do decode this...

Step 1) In a plain text file, put the dump as in the following line:
0000 83 28 22 82 d8 09 01 03 0e 19 0b 12 [... and so on until the end
of the dump with the 'H in the end, with a space in the end before the
EOL and a space in between every byte]
Step 2) text2pcap -l 150 pdu.txt pdu.cap
Step 3) In Wireshark (version 1.0.x), before opening the file, go to
Edit > Preferences > Protocols > DLT_USER > Edit > New
Add a mapping for DLT 150 to payload_proto "gsm_map"... save and close
all dialog.
Step 4) Now, open the generated capture file.

Good luck!
Abhik.

On Tue, Jul 22, 2008 at 10:31 AM, Hoosain Madhi <madhih@xxxxxxxxxxxxx> wrote:
Good day

We are trying to decode a HEX stream that part of a Q3 message generated on
a Siemens STP (SSNC). The output in Q3 format is shown below. The part that
we interested in is the messageDump reproduced below for convenience.  The
Dump is in Hex Format and is actually an SCCP message. We Need to decode
this message in a human readable format.

1. Any idea on how to convert to a format that Wireshark will understand?
2. This message may require a dummy MTP layer to be added.
3. Commercial protocol analyzers require a 00000F appended to the beginning
of the message.


                                             messageDump
'83282282d80901030e190b12080011044326926911010b1206001
 1047228191063065d645b49045bba830a6b2a2828060700118605010101a01d611b80020780a109060704000001001403a203020100a305a10302010
 06c27a225020101302002012d301b040856058123002025f9a00f8107917228194040f704040001a115'H,


“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users