Wireshark · Wireshark-dev: Re: [Wireshark-dev] text2catapult

[Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>]

On Fri, Apr 24, 2009 at 8:33 AM, SOLTANI FATEN <Faten.Soltani@xxxxxxxxxxxxxxxxxx> wrote:

Thanks for everyone who's trying to help me
Martin, here is an example of frames which I want to decode, the first
is a isup/mtp3 frame and the second is a sip/ip frame, both of them are
in the same file
 First frame: 85 16 DC 09 13 01 00 01 00 00 01 0A 00 02 09 07 83 90 56
39 56             09 00 0A 07 83 13 78 56 04 00 01 00

Second frame: 43 61 6C 6C 2D 49 44 3A 20 30 30 30 30 30 30 30 30 31 32
33 34 35 36 37 38 0D 0A 43 53 65 71 3A 20 31 20 49 4E 56 49 54 45 0D 0A
43 6F 6E 74 61 63 74 3A 20 73 69 70 3A 73 69 70 40 31 33 32 2E 31 33 32
2E 31 33 32 2E 31 3A 35 30 36 30 0D 0A 4D 61 78 2D 46 6F 72 77 61 72 64
73 3A 20 37 30 0D 0A 53 75 62 6A 65 63 74 3A 20 50 65 72 66 6F 72 6D 61
6E 63 65 20 54 65 73 74 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20
61 70 70 6C 69 63 61 74 69 6F 6E 2F 73 64 70 0D 0A 43 6F 6E 74 65 6E 74
2D 4C 65 6E 67 74 68 3A 20 31 33 39 0D 0A 76 3D 30 0D 0A 6F 3D 75 73 65
72 31 20 35 33 36 35 35 37 36 35 20 32 33 35 33 36 38 37 36 33 37 20 49
4E 20 49 50 34 20 31 33 32 2E 31 33 32 2E 31 33 32 2E 31 0D 0A 73 3D 2D
0D 0A 74 3D 30 20 30 0D 0A 63 3D 49 4E 20 49 50 34 20 31 34 30 2E 31 34
30 2E 31 34 30 2E 31 34 30 0D 0A 6D 3D 61 75 64 69 6F 20 31 30 32 34 20
52 54 50 2F 41 56 50 20 30 0D 0A 61 3D 72 74 70 6D 61 70 3A 30 20 50 43
4D 55 2F 38 30 30 30 0D 0A

The second frame doesn't have an IP header/UDP header.  The dct2000 format doesn't support frames of type sip with no header.
There are frames with protocol "sip" in them, but they have a proprietary udp or tcp or sctpprim header first.

As a quick test, I changed packet-catapult-dct2000.c to allow pure SIP frames to be sent to the SIP dissector, but what you sent wasn't a SIP frame (no request or response line, several mandatory headers missing), so the SIP dissector didn't recognise it as SIP.  If your file format doesn't support the raw data of the frame, Wireshark won't be able to make any sense out of it!

Martin
 

Regards








------------------------------

Message: 3
Date: Thu, 23 Apr 2009 18:00:25 +0200
From: "SOLTANI FATEN" <Faten.Soltani@xxxxxxxxxxxxxxxxxx>
Subject: [Wireshark-dev] text2catapult
To: <wireshark-dev@xxxxxxxxxxxxx>
Message-ID:

<E68185550026E440866D118AFC41EF6701971BCB@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>

Content-Type: text/plain;       charset="us-ascii"

Hi everyone
I have a text file which includes an arbitrary mixture off protocols,
which I want to convert it into a format readable by Wireshark. But I do
not know which one? I know that catapult can include an arbitrary
mixture off protocols, but the problem, that I do not know the structure
of this file, nor how to convert from text format to catapult format?!
Someone can help me please?!
Regards

------------------------------

Message: 4
Date: Thu, 23 Apr 2009 18:04:47 +0100
From: Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>
Subject: Re: [Wireshark-dev] text2catapult
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Message-ID:
       <7b8c30e40904231004nd61e107vf51ba3a4bbb023ab@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

If you send a short file with an example of each protocol you want to
support, I can try to convert it (by hand) to show you how it might be
done.
Martin

On Thu, Apr 23, 2009 at 5:00 PM, SOLTANI FATEN <
Faten.Soltani@xxxxxxxxxxxxxxxxxx> wrote:

> Hi everyone
> I have a text file which includes an arbitrary mixture off protocols,
> which I want to convert it into a format readable by Wireshark. But I
do
> not know which one? I know that catapult can include an arbitrary
> mixture off protocols, but the problem, that I do not know the
structure
> of this file, nor how to convert from text format to catapult format?!
> Someone can help me please?!
> Regards
>
>
>
________________________________________________________________________
___
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-dev/attachments/20090423/9a4055
54/attachment.htm


Message: 6
Date: Thu, 23 Apr 2009 18:36:21 +0100
From: Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>
Subject: Re: [Wireshark-dev] text2catapult
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Message-ID:
       <7b8c30e40904231036l7c4039d3i6d4f6dec2d61306c@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Vincent Helfre also created a similar log file format (see bug 3114)
that
could maybe be extended to handle your protocols - it might be cleaner
to
use that.
I believe he's converted it into a wiretap plugin, so those sources may
no
longer be up-to-date.

Just a thought,
Martin

On Thu, Apr 23, 2009 at 6:04 PM, Martin Mathieson <
martin.r.mathieson@xxxxxxxxxxxxxx> wrote:

> If you send a short file with an example of each protocol you want to
> support, I can try to convert it (by hand) to show you how it might be
done.
> Martin
>
>
> On Thu, Apr 23, 2009 at 5:00 PM, SOLTANI FATEN <
> Faten.Soltani@xxxxxxxxxxxxxxxxxx> wrote:
>
>> Hi everyone
>> I have a text file which includes an arbitrary mixture off protocols,
>> which I want to convert it into a format readable by Wireshark. But I
do
>> not know which one? I know that catapult can include an arbitrary
>> mixture off protocols, but the problem, that I do not know the
structure
>> of this file, nor how to convert from text format to catapult
format?!
>> Someone can help me please?!
>> Regards
>>
>>
>>
>>
________________________________________________________________________
___

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe