Wireshark-users: Re: [Wireshark-users] Hex Stream Decode (SCCP)
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Andreas Fink <afink@xxxxxxxxxxxxx>
Date: Thu, 14 Aug 2008 15:27:55 +0200
go to wireshark preferences,
select protocol
 select DLT_USER
 add an entry into the encapsulation table
encap = user2 (DLT=149) (or whatever you use in the -l step in text2pcap)
header size =0
header proto = mtp3
trailer size = 0
trailer proto = mtp3

put the following into a text file

00000000 83 28 22 82 d8 09 01 03 0e 19 0b 12 08 00 11 04 43 26 92 69 11 01 0b 12 06 00 11 04 72 28 19 10 63 06 5d 64 5b 49 04 5b ba 83 0a 6b 2a 28 28 06 07 00 11 86 05 01 01 01 a0 1d 61 1b 80 02 07 80 a1 09 06 07 04 00 00 01 00 14 03 a2 03 02 01 00 a3 05 a1 03 02 01 00 6c 27 a2 25 02 01 01 30 20 02 01 2d 30 1b 04 08 56 05 81 23 00 20 25 f9 a0 0f 81 07 91 72 28 19 40 40 f7 04 04 00 01 a1 15 


(this is a address nuber 000000 + all your bytes separated with spaces, all on one line)


run

text2pcap -l 149 textfile binary.cap


open binary.cap in wireshark.

that worked for me.

the message is a response to a SendRoutingInfoForSM. It comes from a HLR, not a VLR.



On 14.08.2008, at 14:18, Hoosain Madhi wrote:

Hi Wireshark Users

In a previous post I was trying to decode a hexdump originating from an STP/VLR. A text2pcap -l 141 sccp_hex.txt sccp_hex.pcap solved my problem in that I was able to import the pcap file into wireshark.

I am now trying to decode a messageDump originating on an SGSN, however -l 141 does not work. Any Ideas on what message I am dealing with and how I can decode.

The messageDump is reproduced below :

e10000000106040f42b04850d1233340d1273945d429374f08000000000000000782117807a40e038b2000f30a40000000002ca48b3a40382647cea
4023a0000000027010000030044624248046000e5d36b1a281806070011860501 0101a00d600ba109060704000001000e036c1ea11c02010102013
83014800802083103715994f7020103050081008301010504765d702ba0068300840204249e5d9e040e66016563a45818846df1f99d07398301018d4402
088945d48b45d48945e083ec04ff75e8ff75e0ff75e4ff75dce84b510000588845d833c08a45c53c097406408845c5eba3c745ecfe0000008d45ec8945dc8d0
5d46000008945e48d05d460

 
--
Hoosain Madhi
Network Quality - Service Assurance
Group Mobile Engineering
Vodacom


----------------------------------------------------------------------------------------------
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Wed, 23 Jul 2008 09:40:37 -0400

Actually it appears to me that the capture starts at the MTP3 SIO (0x83 is SCCP in a national network). Following your step 1 but substituting this for step 2): 
text2pcap -l 141 sccp_hex.txt sccp_hex.pcap
results in a capture file that decodes MTP3, SCCP, TCAP, and GSM MAP portions reasonably (the resulting locationInfoWithLMSI has a country code of South Africa which matches Hoosain's email address so I presume this is a proper decoding). 
(Doing this also means you can skip step 3.)


----------
Abhik Sarkar wrote:

Hi!

Looking at the dump it looks like like messageDump is not an SCCP
message, but SCCP payload (a MAP returnError). Do decode this...

Step 1) In a plain text file, put the dump as in the following line:
0000 83 28 22 82 d8 09 01 03 0e 19 0b 12 [... and so on until the end
of the dump with the 'H in the end, with a space in the end before the
EOL and a space in between every byte]
Step 2) text2pcap -l 150 pdu.txt pdu.cap
Step 3) In Wireshark (version 1.0.x), before opening the file, go to
Edit > Preferences > Protocols > DLT_USER > Edit > New
Add a mapping for DLT 150 to payload_proto "gsm_map"... save and close
all dialog.
Step 4) Now, open the generated capture file.

Good luck!
Abhik.

On Tue, Jul 22, 2008 at 10:31 AM, Hoosain Madhi <madhih@xxxxxxxxxxxxx> wrote:

Good day

We are trying to decode a HEX stream that part of a Q3 message generated on
a Siemens STP (SSNC). The output in Q3 format is shown below. The part that
we interested in is the messageDump reproduced below for convenience.  The
Dump is in Hex Format and is actually an SCCP message. We Need to decode
this message in a human readable format.

1. Any idea on how to convert to a format that Wireshark will understand?
2. This message may require a dummy MTP layer to be added.
3. Commercial protocol analyzers require a 00000F appended to the beginning
of the message.


                                             messageDump
'1

“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users