Ask Your Question

Redefining a proprietary PFCP IE

asked 2023-11-10 16:09:45 +0000

dandreye gravatar image

updated 2023-11-10 16:44:32 +0000

Hi All,

Proprietary PFCP IE Type 245 is decoded (by the current stable WS build) as some Packet Delay Thresholds, I suppose 'cos some vendor was the first one to have shared their own PFCP IE specs with WS Eng. I need to redefine that IE in my WS (and likely several other IEs later) using a different vendor's spec, which I already have for that IE. Assuming it's doable with Lua as mentioned here by @ranjeetsih is there perhaps a complete sample Lua PFCP dissector that I could tweak to my liking w/o having to code anything from scratch? The @ranjeetsih's one seems to be incomplete (e.g. missing the actual dissecting code), so I'm getting an error when trying to plug it into my WS. Dissecting performance is not a concern - just need a 100% correct (as per my vendor spec) offline PFCP dissection at this point. Here's a pcap trace with the IE in question.

Many thanks in advance!

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2023-11-10 16:58:40 +0000

Chuckc gravatar image

updated 2023-11-10 17:06:55 +0000

"Routines for Packet Forwarding Control Protocol (PFCP)" dissection (epan/dissectors/packet-pfcp.c) is implemented using the spec Ref 3GPP TS 29.244 V18.3.0 (2023-09-20).


    { 245, "Packet Delay Thresholds"},         /* Extendable / Clause 8.2.169 */

Which come from the spec. Here is ETSI TS 129 244 V17.9.0 (2023-07) which shows the field on page 337:

image description

It's on the vendors to use the proper range:

IE type values within the range of 32768 to 65535 are used for vendor-specific IE and the value allocation is controlled by the vendor.

Which you could then add with a lua script.

image description

edit flag offensive delete link more


@Chuckc: thank you. Can it still be redefined w/o any C/C++ coding then?

dandreye gravatar imagedandreye ( 2023-11-10 17:16:14 +0000 )edit

I wonder if their code is writing the field in wrong endianness?

00 f5 = 245
f5 00 = 62720 (which is in the vendor range)

Chuckc gravatar imageChuckc ( 2023-11-10 17:19:06 +0000 )edit

Well spotted - thank you: I'll double check with the vendor. Meanwhile a complete sample lua PFCP dissector would still really help (the one that works right away once placed at the path it belongs), if not with this particular IE then with those from the vendor specific range.

dandreye gravatar imagedandreye ( 2023-11-10 17:26:52 +0000 )edit

There is an example capture (actually hexdump) attached to 17523: PFCP: Wrong Enterprise IE generic decoding offsets.
As time permits I'll work on a Lua example to extend the code in Add vsa defination for pfcp packet without compiling wireshark?

Chuckc gravatar imageChuckc ( 2023-11-10 17:30:45 +0000 )edit

Thank you so much!

dandreye gravatar imagedandreye ( 2023-11-10 17:33:54 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2023-11-10 16:09:45 +0000

Seen: 59 times

Last updated: Nov 10