I had a pcap file where at any particular multiple transactions are getting captured in single packets.I am want to have separate packets for separate transaction. Please help.
As I suggested, the protocol, M3UA in this case, runs atop SCTP, so multiple PDU's appear in a single SCTP data chunk and are correctly dissected as can be seen in the packet details pane.
To break these out into separate SCTP data chunks will require a bit of work with external tools. My goto for this sort of thing is Scapy, and I see it has support for SCTP, but I've never used it.
The other option is to somehow arrange not to capture in this manner which is Linux Cooked Mode. Did you capture using the "Any" device?
The other option is to somehow arrange not to capture in this manner which is Linux Cooked Mode.
In what fashion is using a PF_PACKET/SOCK_DGRAM socket, rather than a PF_PACKET/SOCK_RAW socket, to capture network traffic responsible for causing an SCTP packet in that capture to have more than one chunk in it?
I have no idea. I'd made a blind assumption that doing so might affect coalescing of received PDU's, but as you've pointed out that would also require generation of SCTP data chunks to accommodate the PDU's which now you make me think about it seems preposterous.
Yup, all that cooked mode does is cause the link-layer header not to be included in the packet. That's done for the "any" device so that the same in-kernel BPF filter code can work even if not all the interfaces have the same link-layer header type (the "any" device is implemented by not binding the socket to a particular device, so that packets from all devices are handed to that socket); it's also used for some link-layer header types that don't work in a sensible fashion (PPP is - or, at least one point, was - a serious offender here, not providing the PPP header with its protocol type, so there would be no indication of the protocol type).
That doesn't affect the packets handed to the socket, it just affects how they show up to code, such as libpcap, reading from the socket.
Asked: 2020-02-20 12:53:31 +0000
Seen: 677 times
Last updated: Feb 21 '20
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
By not mentioning the protocols concerned it's a little difficult to comment, but I suspect that your protocol runs atop something like TCP and the protocol PDU's are being coalesced into a single TCP segment.
This is normal behaviour, and a properly written dissector will handle this.
Can you indicate what the protocol is and can you share a capture file on a public share, e.g. Google Drive, DropBox etc.?
Hi Grahamb, It is GSM_MAP protocol. Please find the trace in the below link and suggest. https://drive.google.com/open?id=1Cbs...
What do you mean by "separate packets"? Do you mean you want to see separate lines in the Wireshark packet summary pane for separate M3UA/SCCP/TCAP/GSM_MAP packets?
Harris... if u had open my trace u can see in the the first packets there are 4 GSM_MAP transaction and my requirement is to separate those 4 MAP transactions.
I did open it.
And I did see that.
"Separate" in what sense? Display them on 4 rows in the packet summary pane, so that you can click on one of those rows and see the dissection of that particular transaction?