Wireshark-users: Re: [Wireshark-users] STANAG 5066 SIS Dissector and ACP142/DMP
From: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Date: Fri, 2 Jan 2015 14:04:22 +0100


Le 2 janv. 2015 13:46, "pogiako" <pogiako@xxxxxxxxxxxxxxx> a écrit :
>
> On 2015-01-02 08:10, Pascal Quantin wrote:
>>
>> Le 2 janv. 2015 02:49, "Ricardo Cristian Ramirez"
>> <r.cristian.ramirez@xxxxxxxxx> a écrit :
>>  >
>>  > Hi,
>>  >
>>  > I have been analyzing Acp 142 (P_Mul) data over IP network and
>>  > everything was fine. However, I couldn't analyze Acp 142 data over
>> HF
>>  > network (STANAG 5066).
>>  >
>>  > S'5066 SIS dissector displays the data section (UPDU) succesfully
>> but
>>  > this UPDU contains transport layer header of S'5066 network when
>> the
>>  > S'5066 client is TMMHS client (so that it cannot be dissected by
>> Acp
>>  > 142). The name of the discussed transport layer is RCOP/UDOP and
>>  > details are given in STANAG 5066 Ed. 2 ANNEX F.8 and F.9. Header
>> bytes
>>  > can be seen as the first six bytes of data section in the
>> attachment
>>  > before.cap (00 0X 00 00 20 00).
>>  >
>>  > S'5066 provides HF subnetwork serivce to different type of clients.
>>  > Specification describes a transport layer for some clients like Acp
>>  > 142 and DMP but not for all of them. Since RCOP/UDOP header
>> definition
>>  > are given in S'5066 specification, consuming these header bytes in
>>  > S'5066 SIS dissector may be appropriate. The attachment
>> s5066sis.diff
>>  > suggests below changes:
>>  >
>>  > - When the client type is TMMHS, RCOP or UDOP client (sapid == 2, 6
>>  > and 7), add a tree item after the pdu type tree item and display
>>  > transport layer content
>>  > - If the incoming SIS primitive doesn't contain a UPDU (e.g.
>>  > BIND_ACCEPTED), don't add tree item
>>  > - Specify an application identifier and register it to the
>> dissector
>>  > table ("s5066sis.ctl.appid"). This identifier is used to call
>> related
>>  > dissector (Acp 142 or DMP). This make sense because there are
>>  > different application identifiers for Acp 142 (0x2000 TMI-1) and
>> DMP
>>  > (0x2003 TMI-4).
>>  > - If there is not a defined application for the incoming data, call
>>  > data handle dissector as usual
>>  > - After the above changes, P_Mul tells that it accepts data when
>> the
>>  > application identifier is 0x2000.
>>  > dissector_add_uint ("s5066sis.ctl.appid", 0x2000, p_mul_handle);
>>  > - And in DMP (by the way, I didn't tested DMP):
>>  > dissector_add_uint ("s5066sis.ctl.appid", 0x2003, dmp_handle);
>>  >
>>  > The view of the tree is like in atachment after.png
>>  >
>>  > I'm not a wireshark expert but these changes solved my problem. If
>>  > there is a better solution, please direct me the right way.
>>  >
>>  > Note: Sometimes, discussed changes causes malformed data assertion
>> for
>>  > P_Mul dissector from the statement "DISSECTOR_ASSERT (pkg_data);",
>>  > just before the return statement in the register_p_mul_id()
>> function.
>>  > When I looked the calls of this function, there is a null check
>>  > everytime it is called. Hence, I removed the assertion and it seems
>>  > that everytihng is normal.
>>  >
>>  > Thanks.
>>  >
>>
>> Hi Ricardo,
>>  Thanks for your patch. The best way to go forward is to fill a bug on
>> bugs.wireshark.org [1] and upload your patch to Gerrit (as explained
>>
>> in the developer guide:
>> https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcContribute.html#ChSrcSend
>> [2]). Then your changes will be reviewed and discussed before being
>>
>> merged once everything is OK.
>>
>> Regards,
>>  Pascal.
>>
>>
>> Links:
>> ------
>> [1] http://bugs.wireshark.org
>> [2]
>> https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcContribute.html#ChSrcSend
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
> Hello!
>
> How do I correctly call Wireshark? I am just learning Wireshark. I start Wireshark like: "sudo wireshark" and have been prompted every time that what I'm doing isn't recommended. How then should I call it?
>
> Thanks!
>
> Regards!
>

Hi,

See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges
Next time it would be better to start a new thread when asking a question not related to the initial subject.

Regards,
Pascal.