Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-dev: SV: [Ethereal-dev] Decoding problem for GTPv1

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Anders Broman" <a.broman@xxxxxxxxx>
Date: Tue, 12 Jul 2005 22:35:07 +0200
Hi,
I have checked in a fix that should fix the problem please check it out as I
only have a single frame to test with.
 You can use the buildbot build from:
http://www.ethereal.com/distribution/buildbot-builds/

If you find any other decoding problem I can try to take alook at them if
you send me (privately if you like) a trace illustrating the problem.

If you have any traces with asn1 coded CDR:s I'd appreciate to get one.
Best regards
Anders


-----Ursprungligt meddelande-----
Från: ethereal-dev-bounces@xxxxxxxxxxxx
[mailto:ethereal-dev-bounces@xxxxxxxxxxxx] För Yvonne John (DU/EDD)
Skickat: den 11 juli 2005 17:22
Till: ethereal-dev@xxxxxxxxxxxx
Ämne: [Ethereal-dev] Decoding problem for GTPv1

Hello,

I am using latest Ethereal version 0.10.11 (WinPcap_3_1_beta4.cap, Windows
2000) to view some GTP captures (taken for gtpv1).

I have noticed that there is an decoding error in the SGSN Context Response
message (3GPP TS 29.060, chap. 7.5.3) if the information element MM Context
(chap. 7.7.28) contains a Quintuplet array. The Security Mode indicates
whether a Quintuplet or Triplet array shall be contained in the MM Context.

For the Quintuplet array the following is defined:
"The Quintuplet array contains Quintuplets encoded as the value in the
Authentication Quintuplet information element. The Quintuplet array shall be
present if indicated in the Security Mode. If the quintuplet array is
present, the Quintuplet length field indicates its length."

This means that the Quintuplet length field contains the length of the whole
Quintuplet array. 
The coding of Authentication Quintuplet information element is defined in
chap. 7.7.35. Although the Type, Length, Value format (chap. 7.7) is used
for the Authentication Quintuplet IE the Quintuplet array in the MM Context
IE has to contain only the value parts of the Authentication Quintuplet
information elements. 
Thus, the type and length information are removed from each Authentication
Quintuplet and are not included in the Quintuplet array of IE MM Context.

The decoding problem observed is that Ethereal decodes the two octets, which
proceed the Quintuplet length field, as length value for a Quintuplet, but
these two octets already belong to the Quintuplet value. This results in a
Malformed Packet.

Well, I have investigated your mailing lists and found out that the same
problem was reported for Ethereal v0.9.14 and v0.9.15, too, and that there
was obviously a patch provided by Michal Melerowicz in April 2004 (refer to
same subject). - It would be great if this patch could be included in future
Ethereal release as well because it would prevent a lot of HEX-Decoding.

By the way, how shall I deal with further decoding errors? Can I report them
to you as well since I am not a developer?

Regards, Yvonne!

_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube