Add dissector for weird proprietary DLT_USER=162 format of 3GPP pcaps
We received some pcap files from a customer which contained protocol traces in a proprietary format (generated by unknown software/tools). The format uses DLT_USER=162 with some proprietary header that describes the next-layer protocol (like SGsAP, RANAP, TCAP, MTP3) and various other bits we have no idea about. Let's try to figure out where the next-layer payload is and pass that to existing wireshark dissectors.
This commit is contained in:
parent
5abbb2cb2e
commit
5ca585e4b0
|
|
@ -0,0 +1,67 @@
|
|||
-- wireshark LUA dissector for an unknown USER_DLT=162 protocol
|
||||
-- generated by some unknown equipment in a 3GPP cellular network.
|
||||
--
|
||||
-- (C) 2023 by Harald Welte <laforge@gnumonks.org>
|
||||
-- SPDX-License-Identifier: GPL-2.0+
|
||||
--
|
||||
-- Usage: Move (or symlink) this file to your "personal lua plugins"
|
||||
-- folder that can be found in the Wireshark Help->About
|
||||
-- Wireshark->Folders tab Windows: %APPDATA%\Wireshark\plugins.
|
||||
-- Unix-like systems: ~/.local/lib/wireshark/plugins.
|
||||
|
||||
dlt162_protocol = Proto("dlt162", "DLT162 3GPP Protocol")
|
||||
|
||||
local ranap_diss = Dissector.get("ranap")
|
||||
local mtp3_diss = Dissector.get("mtp3")
|
||||
local tcap_diss = Dissector.get("tcap")
|
||||
local sgsap_diss = Dissector.get("sgsap")
|
||||
|
||||
local f_subprotocol = ProtoField.string("subprotocol", "Sub-Protocol")
|
||||
local f_subprotocol_len = ProtoField.uint8("subprotocol_len", "Sub-Protocol Length")
|
||||
|
||||
dlt162_protocol.fields = {
|
||||
f_subprotocol, f_subprotocol_len,
|
||||
}
|
||||
|
||||
function dlt162_protocol.dissector(tvb, pinfo, tree)
|
||||
pinfo.cols.protocol = dlt162_protocol.name
|
||||
|
||||
local subtree = tree:add(dlt162_protocol, tvb(), "DLT 162")
|
||||
|
||||
-- FIXME: verify that first 3 bytes are 00 01 00, as we don't know their meaning
|
||||
local strlen = tvb(3,1):uint()
|
||||
local str = tvb(4,strlen):string()
|
||||
local len_offs
|
||||
local diss
|
||||
local payload_len
|
||||
|
||||
subtree:add(f_subprotocol, tvb(4, strlen))
|
||||
|
||||
if str == "ranap" then
|
||||
len_offs = 0x27
|
||||
diss = ranap_diss
|
||||
elseif str == "sgsap" then
|
||||
len_offs = 0x2b
|
||||
diss = sgsap_diss
|
||||
elseif str == "tcap" then
|
||||
len_offs = 0x23
|
||||
diss = tcap_diss
|
||||
elseif str == "mtp3" then
|
||||
len_offs = 0x0b
|
||||
diss = mtp3_diss
|
||||
end
|
||||
|
||||
if len_offs then
|
||||
subtree:add(f_subprotocol_len, tvb(len_offs, 1))
|
||||
payload_len = tvb(len_offs, 1):uint()
|
||||
end
|
||||
|
||||
if diss ~= nil and payload_len then
|
||||
diss:call(tvb(len_offs+1, payload_len):tvb(), pinfo, tree)
|
||||
end
|
||||
|
||||
return tvb:len()
|
||||
end
|
||||
|
||||
function dlt162_protocol.init()
|
||||
end
|
||||
Loading…
Reference in New Issue