Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] BIP / CAT-TP protocol support

From: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Date: Sat, 4 May 2013 18:37:01 +0200
2013/5/3 Kunc Ondrej DC <ondrej.KUNC@xxxxxxxxxxx>

Hello Wireshark community!

 

I need to decode BIP / CAT-TP protocol – and am desperately looking for any kind of either standalone SW or Wireshark plugin to read it – could you please advise if there such plugin or any way to decode it? The only reference to bip.dll [but maybe it’s just a coindicence of names] I’ve found is here http://article.gmane.org/gmane.network.wireshark.devel/9668/match=bip but it doesn’t help much – I have already written to Jorge but no reply so far.

 

Thanks a lot for coop / update and have a nice day everyone! :]

Ondrej


Ho Ondrej,

in Wireshark 1.10rc1 you have an ETSI CAT dissector embedded. You can call it by providing directly the proactive command and indicating Wireshark how to decode the payload.

For example let's take the following proactive command BER TLV:
D0 42 81 03 01 40 01 82 02 81 82 35 07 02 03 04 02 09 1F 02 39 02 05 78 47 0A 06 54 65 73 74 47 70 02 72 73 0D 08 F4 55 73 65 72 4C 6F 67 0D 08 F4 55 73 65 72 50 77 64 3C 03 02 AD 9C 3E 05 21 01 01 01 01

You can use text2pcap to build a pcap out of this text dump and select the user specific DLT 147:
text2pcap -l 147 intput.txt output.pcap

Where input.txt is a text file containing the following line (note that I removed the proactive command tag and the length):
0000 81 03 01 40 01 82 02 81 82 35 07 02 03 04 02 09 1F 02 39 02 05 78 47 0A 06 54 65 73 74 47 70 02 72 73 0D 08 F4 55 73 65 72 4C 6F 67 0D 08 F4 55 73 65 72 50 77 64 3C 03 02 AD 9C 3E 05 21 01 01 01 01 .

Then open the resulting pcap in Wireshark, select Edit -> Preferences -> Protocols ->DLT_USER. Click on Edit -> New, select DLT User 0 (DLT=147), and in the payload protocol enter etsi_cat and click on OK.

Now Wireshark knows how to dissect the payload and you should get the following output:
Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
DLT: 147, Payload: etsi_cat (Card Application Tookit ETSI TS 102.223)
Card Application Tookit ETSI TS 102.223
    Command details: 014001
        Command Number: 0x01
        Command Type: OPEN CHANNEL (0x40)
    Device identity: 8182
        Source Device ID: SIM / USIM / UICC (0x81)
        Destination Device ID: Terminal (Card Reader) (0x82)
    Bearer description: 02030402091f02
        Bearer Description: GPRS / UTRAN packet service / E-UTRAN (0x02)
        Precedence Class: 3
        Delay Class: 4
        Reliability Class: 2
        Peak Throughput Class: 9
        Mean Throuhgput Class: 31
        Packet Data Protocol Type: IP (Internet Protocol, IETF STD 5) (2)
    Buffer size: 0578
        Buffer Size: 1400
    Network Access Name: 06546573744770027273
        APN: TestGp.rs
    Text string: f4557365724c6f67
        Text String Encoding: GSM default alphabet, 8 bits (0xf4)
        Text String: UserLog
    Text string: f455736572507764
        Text String Encoding: GSM default alphabet, 8 bits (0xf4)
        Text String: UserPwd
    UICC/terminal interface transport level: 02ad9c
        Transport protocol type: TCP, UICC in client mode, remote connection (0x02)
        Transport port: 44444
    Other address (data destination address): 2101010101
        Coding of Type of address: IPv4 address (0x21)
        IPv4 address: 1.1.1.1 (1.1.1.1)

You also have a GSM SIM dissector that can be used to perform the dissection of the APDU and call the ETSI CAT dissector when needed. Simply replace "etsi_cat" protocol name by "gsm_sim".
The following payload:
00 12 00 00 44 D0 42 81 03 01 40 01 82 02 81 82 35 07 02 03 04 02 09 1F 02 39 02 05 78 47 0A 06 54 65 73 74 47 70 02 72 73 0D 08 F4 55 73 65 72 4C 6F 67 0D 08 F4 55 73 65 72 50 77 64 3C 03 02 AD 9C 3E 05 21 01 01 01 01 90 00
Will be dissected as:
Frame 1: 75 bytes on wire (600 bits), 75 bytes captured (600 bits)
DLT: 147, Payload: gsm_sim (GSM SIM 11.11)
GSM SIM 11.11
    Class: Unknown (0x00)
    Instruction: FETCH (0x12)
    Length of Expected Response Data: 68
    BER-TLV Tag: Proactive Command (0xd0)
    Card Application Tookit ETSI TS 102.223
        Command details: 014001
            Command Number: 0x01
            Command Type: OPEN CHANNEL (0x40)
        Device identity: 8182
            Source Device ID: SIM / USIM / UICC (0x81)
            Destination Device ID: Terminal (Card Reader) (0x82)
        Bearer description: 02030402091f02
            Bearer Description: GPRS / UTRAN packet service / E-UTRAN (0x02)
            Precedence Class: 3
            Delay Class: 4
            Reliability Class: 2
            Peak Throughput Class: 9
            Mean Throuhgput Class: 31
            Packet Data Protocol Type: IP (Internet Protocol, IETF STD 5) (2)
        Buffer size: 0578
            Buffer Size: 1400
        Network Access Name: 06546573744770027273
            APN: TestGp.rs
        Text string: f4557365724c6f67
            Text String Encoding: GSM default alphabet, 8 bits (0xf4)
            Text String: UserLog
        Text string: f455736572507764
            Text String Encoding: GSM default alphabet, 8 bits (0xf4)
            Text String: UserPwd
        UICC/terminal interface transport level: 02ad9c
            Transport protocol type: TCP, UICC in client mode, remote connection (0x02)
            Transport port: 44444
        Other address (data destination address): 2101010101
            Coding of Type of address: IPv4 address (0x21)
            IPv4 address: 1.1.1.1 (1.1.1.1)
    Status Word: 9000 Normal ending of the command

Then you can easily script the call to text2pcap to automate the pcap creation.

Have fun,
Pascal.