Discussion:
Decoding raw SCCP packets using Wireshark
James Lee
2007-11-30 00:50:40 UTC
Permalink
Hi. I'm trying to use wireshark to decode raw SCCP packets; i.e. the
contents of an SCCP packet sent over an SS7 link, but where we have only the
packet from the SCCP layer upwards available (so none of the lower-layer
protocols like MTP3, MTP2, etc.).
Now I'm trying to do this by outputting the contents of the SCCP message to
a binary ASCII file, and then running text2pcap over it as follows:
"text2pcap -l 142 input.txt output.pcap" - where 142 is the value of
DLT_SCCP which should be the correct link-layer type here I believe?
Text2pcap is perfectly happy and produces an pcap output file.

When I try to load this file in wireshark, I just get an error complaining
about an unknown link layer type of 142. For comparison, I've tried running
the exact same text2pcap command but with "-l 141" (which is DLT_MTP3), and
wireshark opens the file happily and tries to display an mtp3 packet (though
the contents is incorrect as this binary file doesn't contain an mtp3
header).
From this, and from looking at the source code it looks like wireshark
doesn't support decoding raw SCCP packets unless I'm missing something - is
this correct? If so, then is there a simple way for me to be able to use
wireshark and its associated tools to decode raw SCCP packets? Can I get
text2pcap to add a dummy MTP3 header (in the same way as it adds dummy
UDP/TCP and lower headers to IP traffic)? Is my only option to get my
application to output packets including an MTP3 header? Is there a more
direct way to get wireshark to decode binary data for a single packet?

Any help would be much appreciated here.
Luis EG Ontanon
2007-11-30 00:56:55 UTC
Permalink
You could use a user dlt and assign sccp to it.

See http://wiki.wireshark.org/HowToDissectAnything
Post by James Lee
Hi. I'm trying to use wireshark to decode raw SCCP packets; i.e. the
contents of an SCCP packet sent over an SS7 link, but where we have only the
packet from the SCCP layer upwards available (so none of the lower-layer
protocols like MTP3, MTP2, etc.).
Now I'm trying to do this by outputting the contents of the SCCP message to
"text2pcap -l 142 input.txt output.pcap" - where 142 is the value of
DLT_SCCP which should be the correct link-layer type here I believe?
Text2pcap is perfectly happy and produces an pcap output file.
When I try to load this file in wireshark, I just get an error complaining
about an unknown link layer type of 142. For comparison, I've tried running
the exact same text2pcap command but with "-l 141" (which is DLT_MTP3), and
wireshark opens the file happily and tries to display an mtp3 packet (though
the contents is incorrect as this binary file doesn't contain an mtp3
header).
From this, and from looking at the source code it looks like wireshark
doesn't support decoding raw SCCP packets unless I'm missing something - is
this correct? If so, then is there a simple way for me to be able to use
wireshark and its associated tools to decode raw SCCP packets? Can I get
text2pcap to add a dummy MTP3 header (in the same way as it adds dummy
UDP/TCP and lower headers to IP traffic)? Is my only option to get my
application to output packets including an MTP3 header? Is there a more
direct way to get wireshark to decode binary data for a single packet?
Any help would be much appreciated here.
_______________________________________________
Wireshark-dev mailing list
http://www.wireshark.org/mailman/listinfo/wireshark-dev
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
James Lee
2007-11-30 17:41:50 UTC
Permalink
That's exactly what I was looking for, and does the trick. Thanks!
Post by Luis EG Ontanon
You could use a user dlt and assign sccp to it.
See http://wiki.wireshark.org/HowToDissectAnything
Post by James Lee
Hi. I'm trying to use wireshark to decode raw SCCP packets; i.e. the
contents of an SCCP packet sent over an SS7 link, but where we have only
the
Post by James Lee
packet from the SCCP layer upwards available (so none of the lower-layer
protocols like MTP3, MTP2, etc.).
Now I'm trying to do this by outputting the contents of the SCCP message
to
Post by James Lee
"text2pcap -l 142 input.txt output.pcap" - where 142 is the value of
DLT_SCCP which should be the correct link-layer type here I believe?
Text2pcap is perfectly happy and produces an pcap output file.
When I try to load this file in wireshark, I just get an error
complaining
Post by James Lee
about an unknown link layer type of 142. For comparison, I've tried
running
Post by James Lee
the exact same text2pcap command but with "-l 141" (which is DLT_MTP3),
and
Post by James Lee
wireshark opens the file happily and tries to display an mtp3 packet
(though
Post by James Lee
the contents is incorrect as this binary file doesn't contain an mtp3
header).
From this, and from looking at the source code it looks like wireshark
doesn't support decoding raw SCCP packets unless I'm missing something -
is
Post by James Lee
this correct? If so, then is there a simple way for me to be able to
use
Post by James Lee
wireshark and its associated tools to decode raw SCCP packets? Can I
get
Post by James Lee
text2pcap to add a dummy MTP3 header (in the same way as it adds dummy
UDP/TCP and lower headers to IP traffic)? Is my only option to get my
application to output packets including an MTP3 header? Is there a more
direct way to get wireshark to decode binary data for a single packet?
Any help would be much appreciated here.
_______________________________________________
Wireshark-dev mailing list
http://www.wireshark.org/mailman/listinfo/wireshark-dev
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
_______________________________________________
Wireshark-dev mailing list
http://www.wireshark.org/mailman/listinfo/wireshark-dev
Jeff Morriss
2008-01-17 17:56:49 UTC
Permalink
Post by James Lee
Hi. I'm trying to use wireshark to decode raw SCCP packets; i.e. the
contents of an SCCP packet sent over an SS7 link, but where we have only
the packet from the SCCP layer upwards available (so none of the
lower-layer protocols like MTP3, MTP2, etc.).
Now I'm trying to do this by outputting the contents of the SCCP message
"text2pcap -l 142 input.txt output.pcap" - where 142 is the value of
DLT_SCCP which should be the correct link-layer type here I believe?
Text2pcap is perfectly happy and produces an pcap output file.
When I try to load this file in wireshark, I just get an error
complaining about an unknown link layer type of 142. For comparison,
I've tried running the exact same text2pcap command but with "-l 141"
(which is DLT_MTP3), and wireshark opens the file happily and tries to
display an mtp3 packet (though the contents is incorrect as this binary
file doesn't contain an mtp3 header).
From this, and from looking at the source code it looks like wireshark
doesn't support decoding raw SCCP packets unless I'm missing something -
is this correct? If so, then is there a simple way for me to be able to
Yes, Wireshark was not set up to use this DLT value. It's a bit late, I
know, but I just added support for it in rev 24119.

Loading...