Ask Your Question
0

Finding MAC error in decoding wireshark capture

asked 2023-03-15 11:11:01 +0000

praghave gravatar image

updated 2023-03-16 04:45:43 +0000

Hi,

Need info on how to decode packets with PDCP header info. Following error is seen -

[Expert Info (Error/Sequence) MAC-I Digest wrong calculated 00000000 but found 5b5be0f5] Severity level : Error Group : Sequence

Any patch needed in wireshark to decode such packets. This issue is seen during 5g attach call flow log, in Security Mode Command message.

regards, Poornima

Unable to add wireshark log since it is looking for more points, I can mail it to anyone. kindly share your mail id.

Thanks, Poornima

edit retag flag offensive close merge delete

Comments

Please update the question with the output of wireshark -v or Help->About Wireshark:Wireshark.
Can you share a capture file? If so, stick it on a public file share and update the question with a link to it.

Chuckc gravatar imageChuckc ( 2023-03-15 12:23:12 +0000 )edit

Thanks for your kind reply, unable to upload wireshark capture but can mail you. kindly share mail id or can mail me at - [email protected]https://drive.google.com/file/d/1vLwY... pcap file is uploaded in following location.

praghave gravatar imagepraghave ( 2023-03-16 04:46:49 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-03-16 19:15:50 +0000

Chuckc gravatar image

updated 2023-03-16 19:18:24 +0000

There are mentions in a couple places that zuc is not supported/enabled.
Either add a comment to 16384: rrc container not decoded in F1AP asking for clarification or open a new Gitlab issue attaching the capture file and linking back to this question. If you open a new issue maybe it can be to make the expert info message clearer w.r.t zuc.

16384: rrc container not decoded in F1AP includes the comment:

Note that in the pcap attached ZUC ciphering is activated, so all messages after the RRC Security Mode Complete do not decode properly.

packet-pdcp-nr.c:

    { nia3,         "NIA3 (ZUC)" },
...
    { nea3,         "NEA3 (ZUC)" },

Frame 2429 of your capture has:

securityAlgorithmConfig
    cipheringAlgorithm: nea1 (1)
    integrityProtAlgorithm: nia3 (3)

1716: PDCP-NR: Add ZUC Cipher/integrity calls.

As with Snow3G, we can't distribute Wireshark with NIA3/NEA3 implementations linked in, but provide f8/f9 calls that may be enabled in private builds.

edit flag offensive delete link more

Comments

As Chuck says, we should do better to explain why integrity isn't checked in this case. Also note that even with Zuc or Snow3G support in your build, you still need the derived keys in order to decrypt and check integrity.

MartinM gravatar imageMartinM ( 2023-03-16 22:06:15 +0000 )edit

Thanks for your comments. Raised request in gitlab - bug number 18914

praghave gravatar imagepraghave ( 2023-03-17 06:02:41 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-03-15 11:11:01 +0000

Seen: 1,085 times

Last updated: Mar 16 '23