TCAP is a user of SCCP or SUA. As such a TCAP packet includes a SUA or SCCP packet. If Wireshark doesnt show it as TCAP it might be the fact that the packet is invalid and thus the SUA payload is not considered as TCAP packet. The reasons for this can be many. One obvious one would be that the TCAP preferences are looking for ITU-TCAP not the US proprietary ANSI version of TCAP. I believe this is somewhere hidden in the settings.
The second reason would be simply the packet being screwed up..
On 13.12.2007, at 11:58, Marc Grün wrote: Ethereal (Version 0.10.13) was already installed in the computer I'm using, and I know well it is obsolete. I'm using Wireshark Version 0.99.6 (SVN Rev 22249).
I added the out files for Ethereal and Wireshark concerning that packet. Ethereal is the only one to label it malformed, it goes fine with Wireshark.
I would not bother anyway, but what bugs me in fact is that TCAP is a Layer-7 (Application) protocol, whereas (I might be wrong, but well) SUA seems to belong to an inferior layer : how can they qualify both the very same packet ? Which layers does in fact this SUA implement ?
Guy Harris <guy@xxxxxxxxxxxx> a écrit : Marc Grün wrote:
> I'm doing communication between two machines using the SCCP User > Adaptation (SUA) protocol. Using both Ethereal and Wireshark to capture > the corresponding packets, I realized that Ethereal shows the > connectionless datagram ones as "TCAP CLDT" (and they are said to be > malformed...) whereas Wireshark shows the same as "SUA (RFC 3868) CLDT". > > Where does this divergence come from ?
Probably from a change in one of the dissectors between the two versions of the software; the difference between "Ethereal" and "Wireshark" is that "Ethereal" is the name the software had up to version 0.99.0 and "Wireshark" is the name it had starting with version 0.99.2 (I don't remember what happend to 0.99.1). See
http://www.wireshark.org/faq.html#q1.2
for why the name changed.
What are the version numbers of the two releases you're using? And do you have a small capture file that demonstrates this (if you can just extract one packet from the capture and read that into the two versions and see the behavior, that would be ideal)?
Also, are the packets said to be malformed in the newer version? If so, it might be that the older version wasn't correctly dissecting them.
_______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail <wireshark.out><ethereal.out>_______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users
|