Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-users: Re: [Ethereal-users] Display Filter issues for TCAP and MTP3

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Andreas Fink <andreas@xxxxxxxx>
Date: Wed, 19 Apr 2006 08:27:48 +0200

On 19.04.2006, at 04:40, Jeff Morriss wrote:



Andreas Fink wrote:

Hello,
I'm trying to do a display filter to include a specific TCAP transaction ID which in my example is hex 040F (its displayed like this in the tcap dissector). When I do tcap.id == "040F" it is not being accepted. The dialog to enter this hints me to the fact that only a one byte numerical value is being allowed. this would be wrong as transaction ID's can be one or two bytes.
Hmmm, "tcap.identifier" is registered as FT_BYTES which appears to mean you need to use a filter like "tcap.identifer == 04:0f". 

Oh. that helps to know :)
Similar problem I'm having if I try to filter using mtp3 pointcodes. They are displayed in ITU format X-XXX-X but I cant enter them like this, I must enter them in 14 bit numerical value (which requires external translation by hand).
They should also be displayed on decimal, at least in the MTP3 dissector (something like "Originating Point Code NNNN (X-XXX-X)".
It does at some places. It does not in the summary list when you filter for MTP3 (the places where you would see source IP/destination IP) is the popupated with ITU formatted pointcodes. It also does not in MTP3 management messages like a Routing update (TFP or TFA). That's the part where you really want to see both formattings. Probably easy to fix but my first attempt to play with dissector source resulted in a crash :-/.
Yes, this is one of the problems with the dissection of MTP3 point codes: the structured MTP3 point code string is only appended to the point code item, it is not added as a filterable field (except in ANSI and China ITU where the PCs are always formatted as a 8-8-8 string). (Another problem is that not all dissectors show you the structured format.)
Ok so we should add this to the "todo" list. Might do it myself once I figure out on how to write dissectors properly. EMI/UCP is also a missing one I wanted to add. 




Andreas Fink
Fink Consulting GmbH

---------------------------------------------------------------
Tel: +41-61-6666332 Fax: +41-61-6666331  Mobile: +41-79-2457333
Address: Clarastrasse 3, 4058 Basel, Switzerland
E-Mail:  afink@xxxxxxxxxxxxxxxxxx
Homepage: http://www.finkconsulting.com
---------------------------------------------------------------

ICQ: 101946485 MSN: msn1@xxxxxx AIM: smsrelay Skype: andreasfink
Yahoo: finkconsulting SMS: +41792457333
PGP9: 0714 DF2B A189 A760 6201  5CBD D040 3E71 4DAF 68BB
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube