I'm looking for a way to read ICCP/TASE.2 packets. I've seen anecdotal evidence that Wireshark supports this protocol, but can't find anything concrete from Wireshark's documentation or Q&A.

When I view pcaps with ICCP packets through Wireshark, they're displayed down to the MMS protocol, which is shown full of various errors (primarily "BER Error: Wrong field in SEQUENCE"). We've tried Wireshark versions up to 1.8.3, but the release notes for later versions don't indicate the addition of ICCP/TASE.2 support.

We are investigating the possibility of writing a custom ICCP dissector, but this has a number of problems, primarily that we don't have a C++ programmer or anyone with experience dissecting protocols.

Is there an ICCP/TASE.2 dissector, either built-in or as a plugin, available for Wireshark? If not, what other tools are available to read ICCP/TASE.2 packets?

asked 28 Mar '13, 11:30

alisha's gravatar image

alisha
16114
accept rate: 0%


For what I have seen myself from the TASE.2 specification, TASE.2 is just a way to use MMS. There's a mapping to the MMS data model and no extra layer is added (from a networking point of view).

MF

link

answered 15 Apr '13, 10:16

splinux's gravatar image

splinux
3613
accept rate: 100%

@splinux It's not that simple, unfortunately. TASE.2 packets show up as malformed MMS packets when we try to view them (usually the BER error I mentioned in the question). So whatever TASE.2 is doing, Wireshark can't dissect it correctly, and we can't see the contents of the packet.

(15 Apr '13, 10:21) alisha

Then there might be a bug in the MMS dissector, or the ASN.1 specification it implements might not include all the stuff used by TASE.2. Please file a bug on this at the Wireshark Bugzilla, and include, if possible, a sample packet capture that demonstrates the problem.

(15 Apr '13, 15:11) Guy Harris ♦♦

@alisha can you upload your traces somewhere like pcapr(DOT)net/home beside Bugzilla?

(16 Apr '13, 01:41) splinux

@splinux I'll find out, but I know we're very restricted on where and how we can share our pcaps, so it might not be possible. I'm going to see if I can scrub the IP addresses & other identifying data, and maybe upload then.

(16 Apr '13, 08:19) alisha

Marking this as the answer since it's the closest we can get without being able to upload our data files. I'll file a bug report as suggested and see where it goes.

(22 May '13, 15:22) alisha
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×305
×76
×1
×1

Asked: 28 Mar '13, 11:30

Seen: 1,077 times

Last updated: 22 May '13, 15:22

powered by OSQA