Ask Your Question
0

Redefining a proprietary PFCP IE

asked 2023-11-10 16:09:45 +0000

dandreye gravatar image

updated 2023-11-10 16:44:32 +0000

Hi All,

Proprietary PFCP IE Type 245 is decoded (by the current stable WS build) as some Packet Delay Thresholds, I suppose 'cos some vendor was the first one to have shared their own PFCP IE specs with WS Eng. I need to redefine that IE in my WS (and likely several other IEs later) using a different vendor's spec, which I already have for that IE. Assuming it's doable with Lua as mentioned here by @ranjeetsih is there perhaps a complete sample Lua PFCP dissector that I could tweak to my liking w/o having to code anything from scratch? The @ranjeetsih's one seems to be incomplete (e.g. missing the actual dissecting code), so I'm getting an error when trying to plug it into my WS. Dissecting performance is not a concern - just need a 100% correct (as per my vendor spec) offline PFCP dissection at this point. Here's a pcap trace with the IE in question.

Many thanks in advance!

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-11-10 16:58:40 +0000

Chuckc gravatar image

updated 2023-11-10 17:06:55 +0000

"Routines for Packet Forwarding Control Protocol (PFCP)" dissection (epan/dissectors/packet-pfcp.c) is implemented using the spec Ref 3GPP TS 29.244 V18.3.0 (2023-09-20).

packet-pfcp.c:

    { 245, "Packet Delay Thresholds"},         /* Extendable / Clause 8.2.169 */

Which come from the spec. Here is ETSI TS 129 244 V17.9.0 (2023-07) which shows the field on page 337:

image description

It's on the vendors to use the proper range:

IE type values within the range of 32768 to 65535 are used for vendor-specific IE and the value allocation is controlled by the vendor.

Which you could then add with a lua script.

image description

edit flag offensive delete link more

Comments

@Chuckc: thank you. Can it still be redefined w/o any C/C++ coding then?

dandreye gravatar imagedandreye ( 2023-11-10 17:16:14 +0000 )edit

I wonder if their code is writing the field in wrong endianness?

00 f5 = 245
f5 00 = 62720 (which is in the vendor range)

Chuckc gravatar imageChuckc ( 2023-11-10 17:19:06 +0000 )edit

Well spotted - thank you: I'll double check with the vendor. Meanwhile a complete sample lua PFCP dissector would still really help (the one that works right away once placed at the path it belongs), if not with this particular IE then with those from the vendor specific range.

dandreye gravatar imagedandreye ( 2023-11-10 17:26:52 +0000 )edit

There is an example capture (actually hexdump) attached to 17523: PFCP: Wrong Enterprise IE generic decoding offsets.
As time permits I'll work on a Lua example to extend the code in Add vsa defination for pfcp packet without compiling wireshark?

Chuckc gravatar imageChuckc ( 2023-11-10 17:30:45 +0000 )edit

Thank you so much!

dandreye gravatar imagedandreye ( 2023-11-10 17:33:54 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-11-10 16:09:45 +0000

Seen: 111 times

Last updated: Nov 10 '23

Related questions

Testing Lua Dissectors [closed]

Is there a simple LUA script as an example for simple pcaps?

how to precompile and use precompiled lua dissectors

Lua dissector: Field extractor to get the last matched userdata

Custom sub protocols registering with a custom protocol's dissector table

How can I save the packet list exactly as Wireshark is displaying it as a JSON?

Adding a custom dissector to wireshark

Lua dissector is not processing the full TCP payload.

multiple lua dissectors using same ports

how to invert two bytes in lua script dissector ?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2