Wireshark-dev: [Wireshark-dev] SCCP and CAMEL packets
From: Cristian Constantin <[email protected]>
Date: Sat, 25 May 2013 23:31:45 +0200
hi!

I am using wireshark:

wireshark 1.8.6

Copyright 1998-2013 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 3.4.2, with Cairo 1.12.2, with Pango 1.30.0, with
GLib 2.32.4, with libpcap, with libz 1.2.7, with POSIX capabilities (Linux),
with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.1, without Python, with GnuTLS
2.12.20, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP, with PortAudio
V19-devel (built Apr 16 2011 18:31:04), with AirPcap.

Running on Linux 3.2.0-3-amd64, with locale en_US.UTF-8, with libpcap version
1.2.1, with libz 1.2.3.4, GnuTLS 2.12.20, Gcrypt 1.4.6, without AirPcap.

Built using gcc 4.7.2.

I do NOT really understand how the SCCP users table functions.
facts:

1. I download the capture posted at:

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=camel.pcap

and I open it with wireshark.

2. after editing the SCCP users table to contain:

NI = 2
Called DPC = 100
Called SSN = 200
User Protocol = CAMEL

wireshark will correctly decode the payload of the SCCP unit data as TCAP/CAP.
(the NI, DPC, SSN above match the ones in the SCCP packets)

3. I download the capture posted at:

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=camel2.pcap

and I open it with wireshark.

3. after editing the SCCP users table to contain:

NI = 2
Called SSN = 146
User Protocol = CAMEL

wireshark WON'T decode the payload, showing it as opaque data in hex.
the NI and SSN above
match the ones in the SCCP packets. however in this case there are NO
PC either in the called
addres or in the calling one; both of them use global titles.

what is wrong?

thanks a lot!
bye now !
cristian