wireshark MATE configuration for use with GSM/UMTS/LTE protocols
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
wireshark-mate/osmocom.mate

156 lines
5.3 KiB

/***********************************************************************
* MGCP
***********************************************************************/
/* MGCP is rather complex to match. Why?
- the verb is only present in the request, bu not the response. So by looking
at the resposne you don't know whether it's a CRCX response or a MDCX one.
- a request can specify wildcard endpoint, with the chosen endpoint only showing
up in the response
- one would actually want to treat all messages for one Connection as Gop
- probably treat all Connections on same EP as Gog?
*/
Pdu mgcp_pdu Proto mgcp Transport udp/ip {
Extract ip_addr From ip.addr;
Extract port From udp.port;
/* For some unknown reason the below fields are not actually extracted
* by wireshark - why is that ?!? */
Extract mgcp_rsp_code From mgcp.rsp.rspcode;
Extract mgcp_verb From mgcp.req.verb;
Extract mgcp_endpoint From mgcp.req.endpoint;
Extract mgcp_conn_id From mgcp.param.connectionid;
Extract mgcp_spec_endp_id From mgcp.param.specificendpointid;
};
Gop mgcp_conn On mgcp_pdu Match (ip_addr, ip_addr, port, port, mgcp_conn_id) {
Start (mgcp_rsp_code = 200, mgcp_spec_endp_id);
Stop (mgcp_verb = "DLCX");
};
/***********************************************************************
* A-bis RSL
***********************************************************************/
/* For RSL, we want to mark all messages related to one logical channel,
from RSL CHAN ACT all the way to RF CHAN REL */
Pdu rsl_pdu Proto gsm_abis_rsl Transport gsm_ipa/tcp/ip {
Extract ip_addr From ip.addr;
Extract port From tcp.port;
Extract rsl_cbits From gsm_abis_rsl.ch_no_Cbits;
Extract rsl_tn From gsm_abis_rsl.ch_no_TN;
Extract rsl_msg_dsc From gsm_abis_rsl.msg_dsc;
Extract rsl_msg_type From gsm_abis_rsl.msg_type;
Criteria Accept Strict (rsl_msg_dsc {4|1|63}); // DCHAN || RLL || IPA
};
Gop rsl_lchan On rsl_pdu Match (ip_addr, ip_addr, port, port, rsl_cbits, rsl_tn) {
Start (rsl_msg_type = 33); // CHAN_ACT
Stop (rsl_msg_type {36|51}); // CHAN_ACT_NACK || RF_CHAN_REL_ACK
};
/***********************************************************************
* SCCP
***********************************************************************/
/* We don't really have to track SCCP connections; the SCCP dissector does that (assoc.id),
but that is somehow broken (20200314)? */
Pdu sccp_pdu Proto sccp Transport m3ua/ip {
Extract pc From m3ua.protocol_data_opc;
Extract pc From m3ua.protocol_data_dpc;
//Extract sccp_assoc_id From sccp.assoc.id;
Extract sccp_lr From sccp.lr;
Extract sccp_msg_type From sccp.message_type;
};
//Gop sccp_conn On sccp_pdu Match (pc, pc, sccp_assoc_id) {
Gop sccp_conn On sccp_pdu Match (pc, pc, sccp_lr) {
Start (sccp_msg_type = "0x00000001"); // CR
Stop (sccp_msg_type {"0x00000005"}); // RLC
};
/***********************************************************************
* BSSAP
***********************************************************************/
/***********************************************************************
* GTPv1-C
***********************************************************************/
/* incomplete as it can only track one of the two TEID, so we get all requests but not the responses */
Pdu gtp_pdu Proto gtp Transport udp/ip {
Extract ip_addr From ip.addr;
Extract port From udp.port;
Extract gtp_msg_type From gtp.message;
Extract teid From gtp.teid_cp;
Extract teid From gtp.teid;
};
Gop gtp_ctx On gtp_pdu Match (ip_addr, ip_addr, port, port, teid) {
Start (gtp_msg_type {16}); // CREATE PDP CTX
Stop (gtp_msg_type {21}); // DELETE PDP CTX RESP
};
/***********************************************************************
* GTPv2-C
***********************************************************************/
/* incomplete as it can only track one of the two TEID, so we get all requests but not the responses */
Pdu gtpv2_pdu Proto gtpv2 Transport udp/ip {
Extract ip_addr From ip.addr;
Extract port From udp.port;
Extract gtpv2_msg_type From gtpv2.message_type;
Extract teid From gtpv2.teid;
};
Gop gtpv2_ctx On gtpv2_pdu Match (ip_addr, ip_addr, port, teid) {
Start (gtpv2_msg_type {33}); // CREATE SESSION RESP
Stop (gtpv2_msg_type {37}); // DELETE SESSION RESP
};
/***********************************************************************
* PFCP
***********************************************************************/
Pdu pfcp_pdu Proto pfcp Transport udp/ip {
Extract ip_addr From ip.addr;
Extract port From udp.port;
Extract pfcp_msg_type From pfcp.msg_type;
Extract seid From pfcp.seid;
};
Gop pfcp_ctx On pfcp_pdu Match (ip_addr, ip_addr, port, seid) {
/* we cannot match the request, as it contains seid 0 */
Start (pfcp_msg_type {51}); // Session Establishment Response
Stop (pfcp_msg_type {55}); // Session Deletion Response
};
/***********************************************************************
* S1AP
***********************************************************************/
Pdu s1ap_pdu Proto s1ap Transport sctp/ip {
Extract ip_addr From ip.addr;
Extract port From sctp.port;
Extract s1ap_proc_code From s1ap.procedureCode;
Extract s1ap_mme_id From s1ap.MME_UE_S1AP_ID;
Extract s1ap_enb_id From s1ap.ENB_UE_S1AP_ID;
};
Gop s1ap_ctx On s1ap_pdu Match (ip_addr, ip_addr, port, port, s1ap_mme_id) {
Start (s1ap_proc_code {9}); // InitialContextSetup
Stop (s1ap_proc_code {23}); // UEContextRelease
};
Done;