diff options
| author | Harald Welte <laforge@osmocom.org> | 2023-09-02 13:16:33 +0200 |
|---|---|---|
| committer | Harald Welte <laforge@osmocom.org> | 2023-09-02 13:16:54 +0200 |
| commit | 5ca585e4b0bd3847a3fac50118bb1c939279b18f (patch) | |
| tree | 70c1bfa98d134961be4d4c4348ec5abf03cf6eaa | |
| parent | 5abbb2cb2e98f0d041e916e4081cfe1e4ddbf5b2 (diff) | |
Add dissector for weird proprietary DLT_USER=162 format of 3GPP pcaps
We received some pcap files from a customer which contained protocol
traces in a proprietary format (generated by unknown software/tools).
The format uses DLT_USER=162 with some proprietary header that describes
the next-layer protocol (like SGsAP, RANAP, TCAP, MTP3) and various
other bits we have no idea about.
Let's try to figure out where the next-layer payload is and pass that
to existing wireshark dissectors.
| -rw-r--r-- | dlt162_3gpp.lua | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/dlt162_3gpp.lua b/dlt162_3gpp.lua new file mode 100644 index 0000000..623f586 --- /dev/null +++ b/dlt162_3gpp.lua @@ -0,0 +1,67 @@ +-- wireshark LUA dissector for an unknown USER_DLT=162 protocol +-- generated by some unknown equipment in a 3GPP cellular network. +-- +-- (C) 2023 by Harald Welte <laforge@gnumonks.org> +-- SPDX-License-Identifier: GPL-2.0+ +-- +-- Usage: Move (or symlink) this file to your "personal lua plugins" +-- folder that can be found in the Wireshark Help->About +-- Wireshark->Folders tab Windows: %APPDATA%\Wireshark\plugins. +-- Unix-like systems: ~/.local/lib/wireshark/plugins. + +dlt162_protocol = Proto("dlt162", "DLT162 3GPP Protocol") + +local ranap_diss = Dissector.get("ranap") +local mtp3_diss = Dissector.get("mtp3") +local tcap_diss = Dissector.get("tcap") +local sgsap_diss = Dissector.get("sgsap") + +local f_subprotocol = ProtoField.string("subprotocol", "Sub-Protocol") +local f_subprotocol_len = ProtoField.uint8("subprotocol_len", "Sub-Protocol Length") + +dlt162_protocol.fields = { + f_subprotocol, f_subprotocol_len, +} + +function dlt162_protocol.dissector(tvb, pinfo, tree) + pinfo.cols.protocol = dlt162_protocol.name + + local subtree = tree:add(dlt162_protocol, tvb(), "DLT 162") + + -- FIXME: verify that first 3 bytes are 00 01 00, as we don't know their meaning + local strlen = tvb(3,1):uint() + local str = tvb(4,strlen):string() + local len_offs + local diss + local payload_len + + subtree:add(f_subprotocol, tvb(4, strlen)) + + if str == "ranap" then + len_offs = 0x27 + diss = ranap_diss + elseif str == "sgsap" then + len_offs = 0x2b + diss = sgsap_diss + elseif str == "tcap" then + len_offs = 0x23 + diss = tcap_diss + elseif str == "mtp3" then + len_offs = 0x0b + diss = mtp3_diss + end + + if len_offs then + subtree:add(f_subprotocol_len, tvb(len_offs, 1)) + payload_len = tvb(len_offs, 1):uint() + end + + if diss ~= nil and payload_len then + diss:call(tvb(len_offs+1, payload_len):tvb(), pinfo, tree) + end + + return tvb:len() +end + +function dlt162_protocol.init() +end |