Wireshark · Ethereal-users: Re: [Ethereal-users] MGCP Decoding

Ethereal-users: Re: [Ethereal-users] MGCP Decoding

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxxxxx>

Date: Sun, 21 Jan 2001 20:33:03 -0800

On Sun, Jan 21, 2001 at 08:14:44PM -0800, trent brown wrote:
> I'm fairly new to Ethereal (fantastic tool though) and am using it to
> trace and decode mgcp dialog. I was hoping to poke through the mgcp
> decode source but apparently it is a plugin - is the source availible?

Yes, because the source to the MGCP dissector comes with the Ethereal
distribution, but you have to know where to look; look in the
"plugins/mgcp" directory.

> The MGCP traces also show a few "malformed frame" messages that list as
> UDP rather than MGCP. Is there is a generic problem decoding MGCP such
> that larger frames (or any size for that matter) cannot be decoded?

A "Malformed Frame" message indicates that the frame is too *small*, not
that it's too *large*; it means that the MGCP dissector tried fetching
some data from the packet but that data was past the end of the packet,
i.e. the MGCP dissector thought the packet should be at least that big,
but it wasn't, which means either that

	1) the MGCP dissector isn't properly handling the packet

or

	2) the packet really *is* malformed - it's missing data that
	   should've been there.

("Short Frame" means it's not past the end of the packet, but it's past
the end of the data that was actually captured - many capture programs,
including tcpdump and Ethereal, let you specify that the capture should
get no more than N bytes of the packet, which saves CPU time copying
that data and writing it to a capture file, and saves disk space, but
means you may not have all the data you want.)

It lists as UDP because the MGCP dissector doesn't tag the packet in the
"Protocol" column as being MGCP until after it's called the SDP
dissector.

If it's truly not desired that an MGCP packet containing SDP data be
listed as "MGCP/SDP" in the Protocol column, the MGCP dissector should
set the column to "MGCP" before fetching *anything* from the packet, so
that if it goes past the end of the packet the packet will still get
correctly marked as MGCP, and should also do so after calling the SDP
dissector.

If it is OK for an MGCP packet containing SDP data to be listed as
"MGCP/SDP" in the Protocol column - other protocols work that way, e.g. 
RTSP - then it doesn't have to do anything after calling the SDP
dissector, because the SDP dissector doesn't overwrite the Protocol
column, it appends "/SDP" to it.

Follow-Ups:
- Re: [Ethereal-users] MGCP Decoding
  - From: Guy Harris

References:
- [Ethereal-users] MGCP Decoding
  - From: trent brown

Prev by Date: [Ethereal-users] MGCP Decoding
Next by Date: [Ethereal-users] Obtain Biotech IPOs! 56
Previous by thread: [Ethereal-users] MGCP Decoding
Next by thread: Re: [Ethereal-users] MGCP Decoding
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$