/*********************************************************************** * MGCP ***********************************************************************/ /* MGCP is rather complex to match. Why? - the verb is only present in the request, bu not the response. So by looking at the resposne you don't know whether it's a CRCX response or a MDCX one. - a request can specify wildcard endpoint, with the chosen endpoint only showing up in the response - one would actually want to treat all messages for one Connection as Gop - probably treat all Connections on same EP as Gog? */ Pdu mgcp_pdu Proto mgcp Transport udp/ip { Extract ip_addr From ip.addr; Extract port From udp.port; /* For some unknown reason the below fields are not actually extracted * by wireshark - why is that ?!? */ Extract mgcp_rsp_code From mgcp.rsp.rspcode; Extract mgcp_verb From mgcp.req.verb; Extract mgcp_endpoint From mgcp.req.endpoint; Extract mgcp_conn_id From mgcp.param.connectionid; Extract mgcp_spec_endp_id From mgcp.param.specificendpointid; }; Gop mgcp_conn On mgcp_pdu Match (ip_addr, ip_addr, port, port, mgcp_conn_id) { Start (mgcp_rsp_code = 200, mgcp_spec_endp_id); Stop (mgcp_verb = "DLCX"); }; /*********************************************************************** * A-bis RSL ***********************************************************************/ /* For RSL, we want to mark all messages related to one logical channel, from RSL CHAN ACT all the way to RF CHAN REL */ Pdu rsl_pdu Proto gsm_abis_rsl Transport gsm_ipa/tcp/ip { Extract ip_addr From ip.addr; Extract port From tcp.port; Extract rsl_cbits From gsm_abis_rsl.ch_no_Cbits; Extract rsl_tn From gsm_abis_rsl.ch_no_TN; Extract rsl_msg_dsc From gsm_abis_rsl.msg_dsc; Extract rsl_msg_type From gsm_abis_rsl.msg_type; Criteria Accept Strict (rsl_msg_dsc {4|1|63}); // DCHAN || RLL || IPA }; Gop rsl_lchan On rsl_pdu Match (ip_addr, ip_addr, port, port, rsl_cbits, rsl_tn) { Start (rsl_msg_type = 33); // CHAN_ACT Stop (rsl_msg_type {36|51}); // CHAN_ACT_NACK || RF_CHAN_REL_ACK }; /*********************************************************************** * SCCP ***********************************************************************/ /* We don't really have to track SCCP connections; the SCCP dissector does that (assoc.id), but that is somehow broken (20200314)? */ Pdu sccp_pdu Proto sccp Transport m3ua/ip { Extract pc From m3ua.protocol_data_opc; Extract pc From m3ua.protocol_data_dpc; //Extract sccp_assoc_id From sccp.assoc.id; Extract sccp_lr From sccp.lr; Extract sccp_msg_type From sccp.message_type; }; //Gop sccp_conn On sccp_pdu Match (pc, pc, sccp_assoc_id) { Gop sccp_conn On sccp_pdu Match (pc, pc, sccp_lr) { Start (sccp_msg_type = "0x00000001"); // CR Stop (sccp_msg_type {"0x00000005"}); // RLC }; /*********************************************************************** * BSSAP ***********************************************************************/ Done;