Hi, I'm new to WireShark but I have a Windows host with WireShark running and on this host a customised application sending data to another host on port 5000. I can filter the data and use Follow TCP Stream fine and see the applications network data.

However the frames are displayed as

[Malformed Packet: GSM over IP]

I assume that WireShark is inspecting the frame data and that WireShark thinks that the data inside is a GSM over IP formatted data while it isn't.

Anyway to 'disable' this misleading matching to GSM over IP?

Any help would be greatly appreciated!

Bernd

asked 31 Jan '11, 04:07

BerndN's gravatar image

BerndN
1112
accept rate: 0%


Goto the menu Analyze|Protocols. This open a dialog with all protocol dissectors. Look for 'GSM over IP' and remove the check mark. Click apply to see what happens.

link

answered 31 Jan '11, 04:32

Jaap's gravatar image

Jaap ♦
6.4k774
accept rate: 11%

Edit->preferences->protocols->GSM over IP change the TC/UDP ports to 0 or dissable the protocol.

link

answered 31 Jan '11, 04:31

Anders's gravatar image

Anders ♦
2.9k137
accept rate: 16%

I see this protocols:

GSM SMS GSM SMS UD GSM Um GSM_MAP

Windows Version 1.4.3 from WireShark So thanks for the tip. Somehow I have thought the same before but because I could not find it easily I was confused and thought better to post this here ;)

link

answered 31 Jan '11, 04:39

BerndN's gravatar image

BerndN
1112
accept rate: 0%

Thanks Jaap. Doing this change it and all looks fine after it. Are those messages/frames/packets now hidden or have they just changed to 'unnamed' data frames/packets?

link

answered 31 Jan '11, 04:48

BerndN's gravatar image

BerndN
1112
accept rate: 0%

No, the Wireshark 'GSM over IP' dissectors just isn't called any more. it now depends on the other dissectors what does happen.

link

answered 31 Jan '11, 12:44

Jaap's gravatar image

Jaap ♦
6.4k774
accept rate: 11%

Just one more question regarding those frames/packets. I have done some binary editing of old files in Windows. I had files which had a length value after the initial header so that the opening program did know how long the file had to be. But most files had different structures/data structures. I assume that with network packets a lot is also depending on the application creating it. The packets which have been identified by the dissector GSM over IP seems to assume that it finds a checksum at offset 0xnn and that this checksum value should be nnnn instead of 00 00. My understanding is that the header seems similiar to a GSM over IP packet but it is no GSM over IP structure. So to permanently fix it I should write my own, custom dissector?

Thanks for reading and trying to help!

Bernd

link

answered 31 Jan '11, 13:02

BerndN's gravatar image

BerndN
1112
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×130
×100
×25
×21
×7

Asked: 31 Jan '11, 04:07

Seen: 10,355 times

Last updated: 31 Jan '11, 13:02

powered by OSQA