We're now a non-profit! Support open source packet analysis by making a donation.

Ethereal-dev: Re: [Ethereal-dev] SS7 ISUP

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Willem <[email protected]>
Date: Thu, 15 Jul 2004 23:25:07 +0200
On Thursday 15 July 2004 09:29, Guy Harris wrote:
> On Wed, Jul 14, 2004 at 10:17:22PM +0200, Willem Dekker wrote:
> > What our company (mBalance) is doing is the following.
> > Tap the packet from the ss7 stack (lowest level possible), write it to a
> > file. Then have a small perl script to convert this to the pcap format.
> Why not either
> 	1) write to the file in pcap format
> or
> 	2) contribute code to Ethereal to read the format you're writing
> and avoid the Perl script step entirely?
You are absolutely correct that the proper way is to either write  the c code 
to let Ethereal read the trace files or alternatively to write in pcap format 
the latter option would mean that we loose some of the information that is 
available and can be useful like the physical trunk (interface) and timeslot 
information of the T1/E1. The perl script is just a quick hack. 

With regards Dimitar question of to capturing the packets, what we use is we 
augmented the routine that reads the packets from the MTP2 layer to write 
each packet  to a socket / file with a small header containg the time, 
direction (RX/TX), timeslot and trunk information. 
The same way in the routine for handing over packets to the MTP2 layer for 
writing. This approach  assumes that you have the source code for the SS7 

In the SS7 stack we just write to a file handle, another routines take care of 
opening either a file or a socket (to allow remote tracing), and closing the 
socket of course. 

You can image adding a simular engine like bpf /pcap wiretapping to allow 
filtering already on the traced packets.  

I am not familiar with septel cards. So I don't know what kind of facilities 
they offer for tracing. If you have an SS7 stack in source code, you can do 
the approach outlined above. Otherwise you are in for either some serious 
lowlevel hacking (with reverse engineering and  patching code at the 
appropriate places), or maybe you can place a card into high-impedance mode 
and can let that card with a special cable feeding to  two RX interfaces read 
the traffic and send it to your tracer. 

Best regards,

Willem Dekker 

> _______________________________________________
> Ethereal-dev mailing list
> [email protected]
> http://www.ethereal.com/mailman/listinfo/ethereal-dev