Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 5347] New: [NAS EPS] Fix TFT decoding in case of "delete packet filters from e

Wireshark-bugs: [Wireshark-bugs] [Bug 5347] New: [NAS EPS] Fix TFT decoding in case of "delete p

Date: Thu, 28 Oct 2010 01:38:27 -0700 (PDT)

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5347

           Summary: [NAS EPS] Fix TFT decoding in case of "delete packet
                    filters from existing TFT" operation
           Product: Wireshark
           Version: 1.5.x (Experimental)
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: Minor
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: pascal.quantin@xxxxxxxxx


Pascal Quantin <pascal.quantin@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #5386|                            |review_for_checkin?
               Flag|                            |

Created an attachment (id=5386)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=5386)
patch to fix decoding of "delete packet filters from existing TFT" operation

Build Information:
Version 1.5.0 (SVN Rev 34661 from /trunk)

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.12.12, with GLib 2.16.6, with libpcap 1.0.0, with
libz 1.2.3.3, without POSIX capabilities, without libpcre, without SMI, without
c-ares, without ADNS, without Lua, without Python, with GnuTLS 2.4.2, with
Gcrypt 1.4.1, with MIT Kerberos, without GeoIP, without PortAudio, without
AirPcap.

Running on Linux 2.6.26-2-686-bigmem, with libpcap version 1.0.0, with libz
1.2.3.3, GnuTLS 2.4.2, Gcrypt 1.4.1.

Built using gcc 4.3.2.

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
When decoding a TFT with "delete packet filters from existing TFT" operation,
Wireshark assumes that the direction field is present:

Non-Access-Stratum (NAS)PDU
    0010 .... = Security header type: Integrity protected and ciphered (2)
    .... 0111 = Protocol discriminator: EPS mobility management messages (7)
    Message authentication code: 0x00000000
    Sequence number: 3
    0000 .... = EPS bearer identity: 0x00
    .... 0010 = Protocol discriminator: EPS session management messages (2)
    Procedure transaction identity: 3
    NAS EPS session management messages: Bearer resource modification request
(0xd6)
    0000 .... = Spare half octet: 0
    .... 0110 = Linked EPS bearer identity: EPS bearer identity value 6 (6)
    Traffic Flow Template - Traffic flow aggregate
        Length: 2
        101. .... = TFT operation code: Delete packet filters from existing TFT
(5)
        ...0 .... = E bit: Parameters list is not included
        .... 0001 = Number of packet filters: 1
        Packet filter 0
            0010 .... = Packet filter direction: Uplink only (2)
            .... 0000 = Packet filter identifier: 0
    ESM cause
        Element ID: 88
        Cause: Regular deactivation (36)

But according to 3GPP 24.008 chapter 10.5.6.12, "for the "delete packet filters
from existing TFT" operation, the packet filter list shall contain a variable
number of packet filter identifiers. This number shall be derived from the
coding of the number of packet filters field in octet 3."
The direction field is only present in the "create new TFT", "add packet
filters to existing TFT" and "replace packet filters in existing TFT"
operations.

So instead Wireshark should display:
Non-Access-Stratum (NAS)PDU
    0010 .... = Security header type: Integrity protected and ciphered (2)
    .... 0111 = Protocol discriminator: EPS mobility management messages (7)
    Message authentication code: 0x00000000
    Sequence number: 3
    0000 .... = EPS bearer identity: 0x00
    .... 0010 = Protocol discriminator: EPS session management messages (2)
    Procedure transaction identity: 3
    NAS EPS session management messages: Bearer resource modification request
(0xd6)
    0000 .... = Spare half octet: 0
    .... 0110 = Linked EPS bearer identity: EPS bearer identity value 6 (6)
    Traffic Flow Template - Traffic flow aggregate
        Length: 2
        101. .... = TFT operation code: Delete packet filters from existing TFT
(5)
        ...0 .... = E bit: Parameters list is not included
        .... 0001 = Number of packet filters: 1
        Packet filter 0
            .... 0000 = Packet filter identifier: 0
    ESM cause
        Element ID: 88
        Cause: Regular deactivation (36)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Follow-Ups:
- [Wireshark-bugs] [Bug 5347] [NAS EPS] Fix TFT decoding in case of "delete packet filters from existing TFT" operation
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 5347] [NAS EPS] Fix TFT decoding in case of "delete packet filters from existing TFT" operation
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 5346] New: Problem with Python PATH setup in windows makefile
Next by Date: [Wireshark-bugs] [Bug 5345] SNMP MIB refresh, update
Previous by thread: [Wireshark-bugs] [Bug 5346] Problem with Python PATH setup in windows makefile
Next by thread: [Wireshark-bugs] [Bug 5347] [NAS EPS] Fix TFT decoding in case of "delete packet filters from existing TFT" operation
Index(es):
- Date
- Thread