First time here? Check out the FAQ!

Ask Your Question
0

Redefining a proprietary PFCP IE
 
  
 
  
 
 
 
 
 
 
    
        
        asked Nov 10 '3  
 
 dandreye gravatar image  
 
 
 
 
    
        
        updated Nov 10 '3  
 
 
 
 
 
Hi All,
 
Proprietary PFCP IE Type 245 is decoded (by the current stable WS build) as some Packet Delay Thresholds, I suppose 'cos some vendor was the first one to have shared their own PFCP IE specs with WS Eng. I need to redefine that IE in my WS (and likely several other IEs later) using a different vendor's spec, which I already have for that IE. Assuming it's doable with Lua as mentioned here by @ranjeetsih is there perhaps a complete sample Lua PFCP dissector that I could tweak to my liking w/o having to code anything from scratch? The @ranjeetsih's one seems to be incomplete (e.g. missing the actual dissecting code), so I'm getting an error when trying to plug it into my WS. Dissecting performance is not a concern - just need a 100% correct (as per my vendor spec) offline PFCP dissection at this point. Here's a pcap trace with the IE in question.
 
Many thanks in advance!
 
Preview: (hide)
 
 
 
 
          
 
add a comment
 
 
 
 
 
 1 Answer
    
 
 
                    Sort by »
                     oldest newest most voted 
 
 
 
 
 
  
 
 
 
 
0
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Nov 10 '3  
 
 Chuckc gravatar image  
 
 
 
 
    
        
        updated Nov 10 '3  
 
 
 
 
 
"Routines for Packet Forwarding Control Protocol (PFCP)" dissection
(epan/dissectors/packet-pfcp.c) is implemented using the spec Ref 3GPP TS 29.244 V18.3.0 (2023-09-20).
 
packet-pfcp.c:
 
    { 245, "Packet Delay Thresholds"},         /* Extendable / Clause 8.2.169 */

 
Which come from the spec. Here is ETSI TS 129 244 V17.9.0 (2023-07) which shows the field on page 337:
 
image description
 
It's on the vendors to use the proper range:
 
 
IE type values within the range of 32768 to 65535
  are used for vendor-specific IE and the value allocation is controlled by the vendor. 
 
 
Which you could then add with a lua script.
 
image description
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
@Chuckc: thank you. Can it still be redefined w/o any C/C++ coding then?
dandreye gravatar imagedandreye (
    
        Nov 10 '3
    )
I wonder if their code is writing the field in wrong endianness?
00 f5 = 245
f5 00 = 62720 (which is in the vendor range)
Chuckc gravatar imageChuckc (
    
        Nov 10 '3
    )
Well spotted - thank you: I'll double check with the vendor. Meanwhile a complete sample lua PFCP dissector would still really help (the one that works right away once placed at the path it belongs), if not with this particular IE then with those from the vendor specific range.
dandreye gravatar imagedandreye (
    
        Nov 10 '3
    )
There is an example capture (actually hexdump) attached to 17523: PFCP: Wrong Enterprise IE generic decoding offsets.

As time permits I'll work on a Lua example to extend the code in Add vsa defination for pfcp packet without compiling wireshark?
Chuckc gravatar imageChuckc (
    
        Nov 10 '3
    )
Thank you so much!
dandreye gravatar imagedandreye (
    
        Nov 10 '3
    )

            
                see more comments
            
        
 
 
 
 
  
 
 
 
 

    
        Your Answer
    

 
 Please start posting anonymously - your entry will be published after you log in or create a new account.

    

 
 
Add Answer
 
 
 
 
 
 
 
 
   
  
 
   
 
 
 
 
 
 
 
 
Question Tools
  
 

        
        
            1 follower
        
    
 
 
 subscribe to rss feed 
 
 
 
 
 
 
Stats
 

        Asked:  Nov 10 '3  
 
 
        Seen: 347 times 
 

        Last updated: Nov 10 '23 
 
 
 
Related questions
 
 
 Testing Lua Dissectors [closed] 
 
 Is there a simple LUA script as an example for simple pcaps? 
 
 how to precompile and use precompiled lua dissectors 
 
 Lua dissector: Field extractor to get the last matched userdata 
 
 Custom sub protocols registering with a custom protocol's dissector table 
 
 How can I save the packet list exactly as Wireshark is displaying it as a JSON? 
 
 Adding a custom dissector to wireshark 
 
 Lua dissector is not processing the full TCP payload. 
 
 multiple lua dissectors using same ports 
 
 how to invert two bytes in lua script dissector ?