Ask Your Question
0

MATE: SS7 GSM-MAP: how to correlate msu with same OTID value

asked 2022-10-14 13:49:44 +0000

PhiPas gravatar image

Dear Colleagues, I would need some guidance to build a mate logic to correlate SS7 (GSM-MAP) messages. The common point of theses messages is the OTID value that can be found in the TCAP Begin message (start), so , all messages having this value in OTID (Origin TransactionID) or DTID (Destination Transaction ID) field would match. The stop would be TCAP END messages. Could the below trial be workable?

Pdu ss7_pdu Transport stcp { Extract otid From tcap.otid; };

Gop ss7_req On ss7_pdu Match (tcap.tid) { Start (tcap.begin_element); Stop (tcap.end_element); }; Done;

Thanks in advance Pascal

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2022-10-14 21:26:21 +0000

Chuckc gravatar image

This is a combination of your code and the 12.4.2. A Gop for HTTP requests in the WSUG.

Pdu ss7_pdu Proto tcap Transport ip {
    Extract tid From tcap.tid;
    Extract tcap_begin From tcap.begin_element;
    Extract tcap_end From tcap.end_element;
};

Gop ss7_req On ss7_pdu Match (tid) {
    Start (tcap_begin);
    Stop (tcap_end);
};

Done;
edit flag offensive delete link more

Comments

Thanks Chuckc, it's indeed working, nice. I realize that using mate.ss7_pdu.tid == "dd:42:09:05" is the same as using basic wireshark filter: tcap.tid == dd:42:09:05 So, that's not bringing the expected facilities unfortunately. I'd like to find a way to allow wireshark to group msu with the tid by simply sorting a column. But that does not seem to be possible Thanks for the help Pascal

PhiPas gravatar imagePhiPas ( 2022-10-20 15:55:38 +0000 )edit

There's a lot more flexibility if you're open to using a lua script.
Here is an example implementing modulo before it was added in Wireshark 4.0 (What’s New In Wireshark 4.0?):

Is there any way to obtain every 2nd, 3th, 7th etc. packet?

If you can define a way to group the packets, it's pretty easy to set a new field with a marker for that group.

Chuckc gravatar imageChuckc ( 2022-10-20 16:06:40 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-10-14 13:49:44 +0000

Seen: 199 times

Last updated: Oct 14 '22

Related questions

Malformed packet in the GSM MAP

ss7pcs to accomodate only point code without network indicator

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2