Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] TCAP SRT incorrectly matches TC_BEGINs and TC_ENDs

From: Conall Prendergast <conall.prendergast@xxxxxxxx>
Date: Wed, 24 May 2017 17:19:07 +0100
Hi All,

I have been analyzing a TCAP trace with wireshark with the tcap.srt and tcap.persistentsrt options set to "TRUE".

This should correctly match TCAP Begins (using 2 pass analysis) with their associated TCAP Ends, and vise-versa.

I have attached two files, "correct_matches.pcap" and "incorrect_matches.pcap", that demonstrate some spurious behavior. These two files are from the same feed, and "correct_matches.pcap" contains packets 5, 11, 15, and 19 from "incorrect_matches.pcap".

"correct_matches.pcap" will correctly match packet 1 (TC_BEGIN) with packet 4 (TC_END), and packets 2 and 3 similarly, however, when these packets are analysed with the rest of the feed (incorrect_matches.pcap), these very same packets do not match up. 

Instead, packet 5 (packet 1 from "correct_matches") matches with packet 15 (3) instead of packet 19 (4).

As you can guess, this is unexpected behavior.

So in summary, correct_maches.pcap contains:
1 => 4
2 => 3

incorrect_matches contains:
5 => 15
11 => x
x => 19

and the mapping of correct_matches to incorrect_matches is:
1 => 5
2 => 11
3 => 15
4 => 19


Any and all help is appreciated.
Thanks,
Conall

3 Custom House Plaza | IFSC | Dublin | D01 VY76 | Ireland | Tel.  +353 (1) 291 0138 | Fax. +353 (1) 291 0131 

Asia Office - Suite 12.03, Level 12, Centrepoint North | Mid Valley City | 59200 Kuala Lumpur | Malaysia | Tel. +603 2201 3375 

The information contained in this e-mail transmission is confidential and may be privileged. It is for the intended recipient only. Any views or opinions present are solely those of the author. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail. If you have received this e-mail in error, please immediately notify us by telephone at 353-1-2910138 or e-mail mailadmin@xxxxxxxx and delete the email from your system

Attachment: correct_matches.pcap
Description: Binary data

Attachment: incorrect_matches.pcap
Description: Binary data