We are planning to make a solution on our Telecom system, that would monitor the signalling messages (e.g. RANAP/CC/MM/SMS, BICC, H..248, MAP, ISUP, INAP/CAP, etc.), which belongs to specific transactions and after post-processing those would be checked in Wireshark.

The raw monitoring data will be stored in the form as they captured from the system, which means

• all the type of signaling data that were involved in the transaction would be in the same monitoring file;

• The monitoring will contain the signaling messages on application layer level, thus all of the layer below the application layer shall be dummy layer, meaning that layer 2 – layer 4 headers and data shall be faked.

My question related to this are the following:

  • Is it a requirement in Wireshark that the messages shall be first sorted out by protocol type into separate files or there could be one file, which contains all the protocol messages ?
  • Could the conversion of raw data into pcap format - and faking the underlayers - be implemented in Wireshark - e.g. as an add-in or part of the dissector ?

Thanks !

asked 25 Jan '12, 00:52

BEGINNER's gravatar image

BEGINNER
1111
accept rate: 0%


  1. Wireshark can work out protocol types on its own. Fire it up on your desktop network connection and see the mayhem of mixed protocol message flows. Not a problem.
  2. There are two options to import raw data into Wireshark. There's the command line tool text2pcap, and the GUI import feature. Both can do the same, faking the lower layers. Make sure to read the text2pcap manual page to get an idea of the required input format.
link

answered 25 Jan '12, 02:29

Jaap's gravatar image

Jaap ♦
6.4k774
accept rate: 11%

Thank you !

Still I have further questions:

As the encapsulation type is common - and at at least in the GUI it is not optional - that means that still the protocol types in a source file shall be separated by the type of lower layer used. Is it correct ?

And as I see the dummy layers can be added only for IP, but not for SS7 for example. Has Wireshark solution for faking the lower layers in case of SS7 ?

Thanks !

(27 Jan '12, 04:32) BEGINNER
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×304
×302
×167
×13

Asked: 25 Jan '12, 00:52

Seen: 2,348 times

Last updated: 27 Jan '12, 04:32

powered by OSQA