Ask Your Question
0

Decoder does not work using "Importing from Hex Dump"

asked 2020-01-28 08:55:27 +0000

zfanta gravatar image

I have imported TN3270 packet from tk4. I selected TELNET decoder but wireshark cannot recognizes it as TN3270. Only data field appears.

000000 f5 42 11 40 40 1d 60 c8 85 99 83 a4 93 85 a2 40
000010 e5 85 99 a2 89 96 95 40 40 7a 11 40 d4 1d e8 f4
000020 4b f0 f0 11 c1 50 1d 60 c8 96 a2 a3 40 95 81 94
000030 85 40 40 40 40 40 40 40 40 40 7a 11 c1 e4 1d e8
000040 c4 c5 e2 d2 e3 d6 d7 60 f9 c6 d5 f0 f1 c2 e2 11
000050 c2 60 1d 60 c8 96 a2 a3 40 d6 e2 40 40 40 40 40
000060 40 40 40 40 40 40 7a 11 c2 f4 1d e8 e6 89 95 84
000070 96 a6 a2 60 f6 4b f2 4b f9 f2 f0 f0 40 40 d7 99
000080 96 86 85 a2 a2 89 96 95 81 93 40 f6 f4 60 82 89
000090 a3 11 c3 f0 1d 60 c8 96 a2 a3 40 c1 99 83 88 89
0000a0 a3 85 83 a3 a4 99 85 40 7a 11 c4 c4 1d e8 c9 95
0000b0 a3 85 93 4d d9 5d 40 a7 f6 f4 11 c5 40 1d 60 d7
0000c0 99 96 83 85 a2 a2 96 99 a2 40 40 40 40 40 40 40
0000d0 40 7a 11 c5 d4 1d e8 d3 d7 7e f8 6b 40 c3 96 99
0000e0 85 a2 7e f4 6b 40 c3 d7 e4 a2 7e f1 11 c6 50 1d
0000f0 60 d3 d7 c1 d9 40 d5 81 94 85 40 40 40 40 40 40
000100 40 40 40 7a 11 c6 e4 1d e8 c8 c5 d9 c3 e4 d3 c5
000110 e2 11 c7 60 1d 60 c4 85 a5 89 83 85 40 95 a4 94
000120 82 85 99 40 40 40 40 40 7a 11 c7 f4 1d e8 f0 7a
000130 f0 f0 c3 f1 11 c8 f0 1d 60 e2 a4 82 83 88 81 95
000140 95 85 93 40 40 40 40 40 40 40 40 7a 11 c9 c4 1d
000150 e8 f0 f0 f0 c3 11 c8 f0 1d 60 40 40 40 40 40 40
000160 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40
000170 40 40 40 40 40 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c
000180 5c 40 40 40 5c 5c 5c 5c 40 40 5c 5c 5c 5c 5c 40
000190 40 40 40 40 40 40 40 40 40 6a 6a 11 4a 40 1d 60
0001a0 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40
0001b0 40 40 40 40 40 40 40 40 40 40 40 5c 5c 40 40 40
0001c0 5c ...
(more)
edit retag flag offensive close merge delete

Comments

How was the data collected? What tool created the hex dump?

bubbasnmp gravatar imagebubbasnmp ( 2020-01-28 15:02:58 +0000 )edit

I used "Export Packet Bytes" on telnet field to share a screen data. https://imgur.com/a/IbbMm2e

zfanta gravatar imagezfanta ( 2020-01-29 02:51:05 +0000 )edit

Note that we don't generally "close" answered questions, instead we accept the answer by clicking the checkmark to the left of the answer. I'm not sure whether it was may answer or the additions from @bubbasnmp that solved your issue.

grahamb gravatar imagegrahamb ( 2020-01-29 10:47:18 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-01-28 10:47:10 +0000

grahamb gravatar image

Have you set the Import options to add TCP headers? You should also set the ports accordingly, e.g. 23 and something else, I used 23 & 1024.

You can also use text2pcap with the arguments -T 23,1024 e.g.

text2pcap -T 23,1024 packet.txt packet.pcap
edit flag offensive delete link more

Comments

Yes I had. But wireshark couldn't parse TN3270 data like this https://imgur.com/a/fuvfZSa. I have noticed "note: Your capture needs to include the start of the telnet session - this is where the TN5250 protocol is negotiated." at https://wiki.wireshark.org/TN5250. Does it matters for TN3270?

zfanta gravatar imagezfanta ( 2020-01-29 02:58:48 +0000 )edit

https://code.wireshark.org/review/git...
The telnet dissector is looking at the Terminal Type before calling the TN3270 dissector.

Subcommand: Terminal Type
    Here's my Terminal Type
    Value: IBM-3279-2-E
bubbasnmp gravatar imagebubbasnmp ( 2020-01-29 05:06:37 +0000 )edit

Also mentioned here that maybe should be a way to force decode when start missing:
https://ask.wireshark.org/question/17...

bubbasnmp gravatar imagebubbasnmp ( 2020-01-29 05:21:55 +0000 )edit

OK. I understood. Apreciate.

zfanta gravatar imagezfanta ( 2020-01-29 05:22:33 +0000 )edit

For anyone looking at this in the future, the packet bytes are EBCDIC data.
https://www.wireshark.org/docs/wsug_h...
Right click the packet bytes and change to EBCDIC to see text.

bubbasnmp gravatar imagebubbasnmp ( 2020-01-29 05:47:57 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2020-01-28 08:55:27 +0000

Seen: 34 times

Last updated: Jan 28