Tshark not decoding f1ap_f1ap_RRCContainer

asked 2022-05-24 11:38:34 +0000

Dig Vijay gravatar image

We want to use the Tshark to convert the existing Pcap file into the ELK json file. Our PCAP file contains the dump of 5G F1AP/NGAP messages. In the output json file, all the messages are decoded fully except where the field is f1ap_f1ap_RRCContainer. This field value is still in hexstring format. Can someone help in how to decode this with tshark?

edit retag flag offensive close merge delete

Comments

What version of tshark are you running (tshark -v)?

Past work on this:
rrc container not decoded in F1AP
F1AP: dissect more RRC containers
MR: F1AP: dissect more RRC-Container instances
commit: F1AP: dissect more RRC-Container instances

If the latest tshark doesn't decode properly, can you share a capture file on a public file share and update the question with a link to it.

Chuckc gravatar imageChuckc ( 2022-05-24 14:02:04 +0000 )edit

we are using TShark (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)

Dig Vijay gravatar imageDig Vijay ( 2022-05-24 14:35:43 +0000 )edit

we are using TShark (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)

That's a very old version. 3.6.5 is the current stable release.

grahamb gravatar imagegrahamb ( 2022-05-24 15:27:55 +0000 )edit

Thanks grahamb , after updating the version to 3.6.5 it is working.

Dig Vijay gravatar imageDig Vijay ( 2022-05-25 10:23:05 +0000 )edit

Hi Dig Vijay, Could you help me to provide the command you run decode message success because I have tried update the version tshark 3.6.5 but it's not decode successfully?

tudoinon gravatar imagetudoinon ( 2022-10-25 03:25:06 +0000 )edit