Ask Your Question
0

Wireshark doesn't recognize TWAMP-Test packets

asked 2020-05-11 11:24:14 +0000

sajax gravatar image

updated 2020-05-11 17:46:08 +0000

Guy Harris gravatar image

Hi,

I have Wireshark 3.0.7 and i have enabled TWAMP-Test and TWAMP-Control protocol options from Menu-> "Analyze->Enabled Protocols".

However when i open a pcap file, that has TWAMP Test Frames from Sender and Reflector, the wireshark is not able to decode them as TWAMP Test Frames and shows them as plane UDP Data Packets. If you set a filter of "twamp.test" none of the packets qualify as TWAMP test packets.

I am pretty sure the pcap has valid twamp test frames generated by standard test tools like TWAMPY and Spirent.

Can anyone help in what i am missing?

Here is sample Data Dump of 1 frame (as not allowing me to capture full pcap file): 0000 00 11 3f 23 e1 3c 00 10 94 00 00 02 81 00 a3 e8 0010 08 00 45 00 00 6a 00 00 00 00 ff 11 6b 51 14 14 0020 14 07 14 14 14 03 04 00 03 5e 00 56 f7 fa 00 00 0030 00 01 00 00 00 00 00 01 23 45 03 ff 00 00 00 00 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0060 00 00 00 00 00 00 00 00 4b 6a 6c fb 9c 13 72 0e 0070 40 ed 61 a7 c7 8c 71 4d 04 cd e1 ad 5f 3a 6e 51

Regards Sajax

edit retag flag offensive close merge delete

Comments

You can put your capture on a public share, e.g. Google Drive, DropBox etc. and post a link to it back here.

grahamb gravatar imagegrahamb ( 2020-05-11 12:59:55 +0000 )edit

Thanks a lot for a quick response.

I believe i found a way to decode it:

Selected the "Data Bytes" post "UDP Payload" and in Right Click Selected "Decode As". Then mapping the UDP Source and Destination ports in Packets to "TWAMP.Test" it started decoding the TWAMP Frames.

Thanks and Regards Sajax

sajax gravatar imagesajax ( 2020-05-11 13:16:07 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-05-11 17:52:06 +0000

Guy Harris gravatar image

Wireshark recognizes TWAMP-Control packets if they go to or from the well-known port 862.

And, IF it sees the TWAMP-Control packets that set up a TWAMP-Test session, it will attempt to arrange that packets in that session be recognized as TWAMP-Test.

If, however, it doesn't see the TWAMP-Control packets that set up a TWAMP-Test session, it won't recognize the TWAMP-Test packets, so you'll have to tell it that packets are TWAMP-Test packets, using either the "Decode As..." interface in Wireshark or the -d command-line flag in TShark.

edit flag offensive delete link more

Comments

Thanks a lot for your response. As mentioned above, had figured out the same while exploring "Decode As" option.

Also was missing the fact that my traffic was not using well-known port 862 in one direction. So thanks for highlighting the same.

sajax gravatar imagesajax ( 2020-05-12 06:30:34 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-05-11 11:24:14 +0000

Seen: 89 times

Last updated: May 11