First time here? Check out the FAQ!

Ask Your Question
0

Redefining a proprietary PFCP IE

asked Nov 10 '3

dandreye gravatar image

updated Nov 10 '3

Hi All,

Proprietary PFCP IE Type 245 is decoded (by the current stable WS build) as some Packet Delay Thresholds, I suppose 'cos some vendor was the first one to have shared their own PFCP IE specs with WS Eng. I need to redefine that IE in my WS (and likely several other IEs later) using a different vendor's spec, which I already have for that IE. Assuming it's doable with Lua as mentioned here by @ranjeetsih is there perhaps a complete sample Lua PFCP dissector that I could tweak to my liking w/o having to code anything from scratch? The @ranjeetsih's one seems to be incomplete (e.g. missing the actual dissecting code), so I'm getting an error when trying to plug it into my WS. Dissecting performance is not a concern - just need a 100% correct (as per my vendor spec) offline PFCP dissection at this point. Here's a pcap trace with the IE in question.

Many thanks in advance!

Preview: (hide)

1 Answer

Sort by » oldest newest most voted
0

answered Nov 10 '3

Chuckc gravatar image

updated Nov 10 '3

"Routines for Packet Forwarding Control Protocol (PFCP)" dissection (epan/dissectors/packet-pfcp.c) is implemented using the spec Ref 3GPP TS 29.244 V18.3.0 (2023-09-20).

packet-pfcp.c:

    { 245, "Packet Delay Thresholds"},         /* Extendable / Clause 8.2.169 */

Which come from the spec. Here is ETSI TS 129 244 V17.9.0 (2023-07) which shows the field on page 337:

image description

It's on the vendors to use the proper range:

IE type values within the range of 32768 to 65535 are used for vendor-specific IE and the value allocation is controlled by the vendor.

Which you could then add with a lua script.

image description

Preview: (hide)
link

Comments

@Chuckc: thank you. Can it still be redefined w/o any C/C++ coding then?

dandreye gravatar imagedandreye ( Nov 10 '3 )

I wonder if their code is writing the field in wrong endianness?

00 f5 = 245
f5 00 = 62720 (which is in the vendor range)

Chuckc gravatar imageChuckc ( Nov 10 '3 )

Well spotted - thank you: I'll double check with the vendor. Meanwhile a complete sample lua PFCP dissector would still really help (the one that works right away once placed at the path it belongs), if not with this particular IE then with those from the vendor specific range.

dandreye gravatar imagedandreye ( Nov 10 '3 )

There is an example capture (actually hexdump) attached to 17523: PFCP: Wrong Enterprise IE generic decoding offsets.
As time permits I'll work on a Lua example to extend the code in Add vsa defination for pfcp packet without compiling wireshark?

Chuckc gravatar imageChuckc ( Nov 10 '3 )

Thank you so much!

dandreye gravatar imagedandreye ( Nov 10 '3 )

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: Nov 10 '3

Seen: 347 times

Last updated: Nov 10 '23