Ask Your Question
0

Text2pcap ISDN Q931 HEX

asked 2024-02-20 16:11:15 +0000

Gates gravatar image

Hi,

I have a Q931 hex capture. Something like :

000000 08 02 ae 15 02 18 03 a9 83 96
000000 08 02 ae 15 01
000000 08 02 2e 15 45 08 02 80 90
000000 08 02 ae 15 4d
000000 08 02 2e 15 5a

I dont know how to use text2pcap in order to make a pcap with only this.

I saw this old post https://osqa-ask.wireshark.org/questi...

If i add dummy LDAP header like :

000000 02 01 ba a6
000004 08 02 ae 15 02 18 03 a9 83 96
000000 02 01 ba a6
000004 08 02 ae 15 01
000000 02 01 ba a6
000004 08 02 2e 15 45 08 02 80 90
000000 02 01 ba a6
000004 08 02 ae 15 4d
000000 02 01 ba a6
000004 08 02 2e 15 5a

and i use

text2pcap -l 203 file.txt file.pcap

it's OK

But I would like to get it with out the fake LDAP layer.

Regards

Gates

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2024-02-20 22:09:25 +0000

johnthacker gravatar image

updated 2024-02-21 03:57:05 +0000

The advice in the Wiki about "How to Dissect Anything" is your best bet here.

There is no link-layer type used in pcap or pcapng for Q931 by itself. However, you can use one of the private use USER link types from 147 to 162.

text2pcap -E user3 q931.txt q931.pcapng

(or text2pcap -l 150 q931.txt q931.pcapng)

You can then tell your personal version of Wireshark to dissect that particular User DLT as you wish, by using the user DLT. In your case, you would then configure DLT 150 to use the q931 dissector.

The disadvantage, as this is a private use data link type, is that if you share the file with someone else, they will also have to configure Wireshark similarly to read it, unlike using the LDAP link layer type.

_edit_: Another option is to use the WIRESHARK_UPPER_PDU link layer type, with text2pcap -E wireshark-upper-pdu -P q931 q931.txt q931.pcapng or text2pcap -l 252 -P q931 q931.txt q931.pcapng

(If you enter text2pcap -E with nothing else, it will list all possible encapsulations and their descriptions.)

text2pcap -P <dissector> is supposed to automatically set the link layer type to WIRESHARK_UPPER_PDU, but it seems like that's currently broken.

The WIRESHARK_UPPER_PDU type adds some metadata that tells Wireshark what dissector to run to process the following data. It makes a slightly larger file, but has the advantage that anyone else opening the file in Wireshark or tshark can make it work. Non-Wireshark programs that read pcaps still probably can't deal with it, but they can perhaps see the metadata.

edit flag offensive delete link more

Comments

It can also be done from the command line using -o <preference/recent setting>.
(Wireshark man page)

-o "uat:user_dlts:\"User 0 (DLT=147)\",\"cops\",\"0\",\"\",\"0\",\"\""
Chuckc gravatar imageChuckc ( 2024-02-20 22:31:01 +0000 )edit

Perhaps text2pcap should add support for LINKTYPE_WIRESHARK_UPPER_PDU.

Guy Harris gravatar imageGuy Harris ( 2024-02-21 02:17:08 +0000 )edit

Good point, that is an option, ever since 4.0.

johnthacker gravatar imagejohnthacker ( 2024-02-21 03:52:10 +0000 )edit

text2pcap -P <dissector> is supposed to automatically set the link layer type to WIRESHARK_UPPER_PDU, but it seems like that's currently broken.

Your merge request fixed that. I've backported it to the 4.2 and 4.0 branches, so the next 4.0.x and 4.2.x releases should allow this. (3.6.x doesn't support -P.)

Guy Harris gravatar imageGuy Harris ( 2024-02-21 05:31:25 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2024-02-20 16:11:15 +0000

Seen: 232 times

Last updated: Feb 21