Wireshark-users: Re: [Wireshark-users] Using LTE-MAC over UDP heuristic
From: Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>
Date: Wed, 24 Mar 2010 15:59:54 +0000
Hi Raju,
The UDP heuristic dissector isn't for use with dct2000 (now known as IxCatapult) .out files, its a separate way to supply the MAC dissector with the info it needs.

There is a sample C problem linked from the MAC-LTE wiki page that will send MAC frames over UDP with the header format that the heuristic dissector understands.
- that program can send frames to a given machine name or IP address, where Wireshark can capture those UDP frames in the normal way
- there is a pattern on the front of the UDP payload that matches what the heuristic dissector is check for
- it parses the UDP framing info to get the context the MAC-LTE dissector needs in order to fully decode the frame that follows

The program is BSD licensed, and the intention was that you could build this functionality into your equipment that deals with MAC frames and configure it to send to a machine running Wireshark.

The alternative is to have Wireshark understand MAC frames from a special file format, which is what I did with our .out files.  I wouldn't recommend you try to use the .out file format if you're not using IxCatapult equipment.

Hope this helps,

On Wed, Mar 24, 2010 at 12:06 PM, Raju Udava <raju.us@gmail.com> wrote:
This is what I tried out, but wasnt able to see MAC parsed information:
a) Enabled mac-lte protocol option in "Enabled Protocols"
b) Enabled "Try heuristic sub-dissectors first" option for UDP
c) Created a .out file using text2pcap, with dummy UDP header.
d) UDP paylaod was started with "mac-lte" tag followed by information as specified in packet-mac-lte.h
When I opened the output file on wireshark, I couldn't see MAC protocol information & packet was still being displayed as UDP.
Please let me know if I need to use any specific UDP ports? or If I am missing out to enable any option?
If anyone has sample catapult 2000 file for MAC-LTE, please post.
000000 6d 61 63 2d 6c 74 65 01 00 03 01 21 02 1f 00 10 00 00 00 00
text2pcap.exe -u 99,99 input.txt output.txt
Opened output.txt in wireshark. It was showing just as a normal packet.
Thanks in advance.

Raju Udava

Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users