Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-dev: [Ethereal-dev] Decoding problem for GTPv1

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Yvonne John (DU/EDD)" <yvonne.john@xxxxxxxxxxxx>
Date: Mon, 11 Jul 2005 17:22:28 +0200
Hello,

I am using latest Ethereal version 0.10.11 (WinPcap_3_1_beta4.cap, Windows 2000) to view some GTP captures (taken for gtpv1).

I have noticed that there is an decoding error in the SGSN Context Response message (3GPP TS 29.060, chap. 7.5.3) if the information element MM Context (chap. 7.7.28) contains a Quintuplet array. The Security Mode indicates whether a Quintuplet or Triplet array shall be contained in the MM Context.

For the Quintuplet array the following is defined:
"The Quintuplet array contains Quintuplets encoded as the value in the Authentication Quintuplet information element. The Quintuplet array shall be present if indicated in the Security Mode. If the quintuplet array is present, the Quintuplet length field indicates its length."

This means that the Quintuplet length field contains the length of the whole Quintuplet array. 
The coding of Authentication Quintuplet information element is defined in chap. 7.7.35. Although the Type, Length, Value format (chap. 7.7) is used for the Authentication Quintuplet IE the Quintuplet array in the MM Context IE has to contain only the value parts of the Authentication Quintuplet information elements. 
Thus, the type and length information are removed from each Authentication Quintuplet and are not included in the Quintuplet array of IE MM Context.

The decoding problem observed is that Ethereal decodes the two octets, which proceed the Quintuplet length field, as length value for a Quintuplet, but these two octets already belong to the Quintuplet value. This results in a Malformed Packet.

Well, I have investigated your mailing lists and found out that the same problem was reported for Ethereal v0.9.14 and v0.9.15, too, and that there was obviously a patch provided by Michal Melerowicz in April 2004 (refer to same subject). - It would be great if this patch could be included in future Ethereal release as well because it would prevent a lot of HEX-Decoding.

By the way, how shall I deal with further decoding errors? Can I report them to you as well since I am not a developer?

Regards, Yvonne!
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube