Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Decoding raw SCCP packets using Wireshark

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Thu, 17 Jan 2008 12:56:49 -0500


James Lee wrote:
Hi. I'm trying to use wireshark to decode raw SCCP packets; i.e. the contents of an SCCP packet sent over an SS7 link, but where we have only the packet from the SCCP layer upwards available (so none of the lower-layer protocols like MTP3, MTP2, etc.).

Now I'm trying to do this by outputting the contents of the SCCP message to a binary ASCII file, and then running text2pcap over it as follows: "text2pcap -l 142 input.txt output.pcap" - where 142 is the value of DLT_SCCP which should be the correct link-layer type here I believe? Text2pcap is perfectly happy and produces an pcap output file.

When I try to load this file in wireshark, I just get an error complaining about an unknown link layer type of 142. For comparison, I've tried running the exact same text2pcap command but with "-l 141" (which is DLT_MTP3), and wireshark opens the file happily and tries to display an mtp3 packet (though the contents is incorrect as this binary file doesn't contain an mtp3 header).

From this, and from looking at the source code it looks like wireshark doesn't support decoding raw SCCP packets unless I'm missing something - is this correct? If so, then is there a simple way for me to be able to

Yes, Wireshark was not set up to use this DLT value. It's a bit late, I know, but I just added support for it in rev 24119.