ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] decoding depth & capture format ==> SOLVED

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Marc Lebas" <mlebas@xxxxxxxxxx>
Date: Tue, 3 Mar 2009 10:10:23 -0000
Hi Jeff,

You are right. Actually it was a plain user issue

Thanks a lot for your help.
Marc

-----Message d'origine-----
De : wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] De la part de Jeff Morriss
Envoyé : lundi 2 mars 2009 17:28
À : Developer support list for Wireshark
Objet : Re: [Wireshark-dev] decoding depth & capture format


I think the problem is that the packets are encrypted:

> FCS: 0x3624af  (incorrect, maybe due to ciphering, calculated 
> 0xb5c834)
[...]
> .... .... .... ..1. = E bit:  encrypted frame

The GPRS-LLC dissector does not hand the payload off to the next dissector when this is the case.

I suppose in your other (PCAP) captures the data is not encrypted and/or the checksums are correct.

Marc Lebas wrote:
> Hello Jeff,
> 
> Enclosed is a small capture file (99 records, 27Kb). 
> i can provide you with a bigger file if this excerpt does not contain IP frames.
> 
> Marc
> 
> -----Message d'origine-----
> De : wireshark-dev-bounces@xxxxxxxxxxxxx 
> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] De la part de Jeff 
> Morriss Envoyé : vendredi 27 février 2009 15:53 À : Developer support 
> list for Wireshark Objet : Re: [Wireshark-dev] decoding depth & 
> capture format
> 
> 
> 
> Marc Lebas wrote:
>> Hello,
>> Maybe its a User question but that could be a dev issue; anyway there 
>> was no answer to my question on the User's mailing list.
>>
>> The issue : i got different depth in decoding (GPRS over FR), 
>> depending on the capture file format :
>> With rf5, the analysis is limited to GPRS protocol layers, but never 
>> decode IP which is the encapsulated protocol.
>> With libpcap, it is OK; Wireshark go deeper as it is able to decode 
>> encapsulated IP frames in GPRS frames.
>> Why such a behaviour ? Did i missed something in my config ?
>> Here is my config on Linux (but the issue is the same on Windows) :
>> - preferences : fr.encap: GPRS Network Service
>> - cat k12_protos : "gprs_gb","fr"
> 
> Not having ever looked at a GPRS capture in Wireshark, I don't know. 
> (Small) sample captures would help.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube