Ask Your Question
0

How to dissect 5G RRC L3 messsages from L1 packets Tx_Data.request (FAPI logs) in wireshark using a custom dissector DLL?

asked 2025-09-09 10:31:23 +0000

pcap_enjoyer gravatar image

updated 2025-09-09 10:38:45 +0000

I am working at the PHY (L1) layer in a 5G NR stack implementation. At this layer, I receive Tx_Data.request messages from MAC (as per Small Cell Forum FAPI interface). These contain transport blocks that L1 needs to transmit.

My goal is to:

  • Export these Tx_Data.request payloads into a pcap.

  • Open the pcap in Wireshark.

  • Decode the actual RRC messages (e.g., RRCSetup, RRCReconfiguration) contained in SRB PDUs.

What I tried so far

  • I can already capture and dump the Tx_Data.request into a pcap file.

  • Wireshark correctly shows my custom protocol dissector for FAPI messages.

  • However, if I try to directly call the RRC dissector on the payload, it fails.

If I modify my custom Wireshark plugin DLL (generated using C, nmake), can I just strip headers and call the RRC dissector directly, or do I need to implement the whole MAC → RLC → PDCP chain first?

edit retag flag offensive close merge delete

Comments

I suspect you're following an old recipe by using "nmake", Wireshark hasn't used that in a long time, instead the Wireshark build is configured using CMake to generate a VS solution.

What version of Wireshark are you using?

grahamb gravatar imagegrahamb ( 2025-09-09 15:39:18 +0000 )edit

Custom plugin generated using C,nmake is working fine. I'm able to dissect L1 FAPI packets without any issues. I'm using Wireshark 4.4.0

pcap_enjoyer gravatar imagepcap_enjoyer ( 2025-09-10 07:04:44 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2025-09-11 20:47:30 +0000

MartinM gravatar image

Is this a different flavour from https://gitlab.com/wireshark/wireshar... ? That one doesn't seem to call any MAC or RRC dissectors for any payloads it finds..

I implemented a version of this for 4G (TI), and the payloads were MAC PDUs. My dissector would have inferred the direction, RNTI, RNTI-Type, size, and attached the equivalent of a filled-in mac_nr_info structure, then called the MAC-NR dissector for a tvb containing the payload. You should hopefully get good decodes all the way up the stack to IP or RRC (if PDCP keys are available, if used) - assuming the MAC/RLC/PDCP dissector preferences are appropriately set to let RRC configure them.

Notice that for RRC, you would need to call for the right dissector depending upon channel and direction, e.g. "nr-rrc.dl.dcch or nr-rrc.ul.dcch. But if you call mac-nr, it can work this out for you.

My preference was just to apply display filters for the traffic I wanted to see (but obviously these files can quickly become big/slow).

edit flag offensive delete link more

Comments

I tried calling "mac-nr" dissector with my PDU. But I keep getting

MAC-NR Can't dissect NR MAC frame because no per-frame info was attached!

Even though I'm filling necessary per-frame context before calling.

pcap_enjoyer gravatar imagepcap_enjoyer ( 2025-09-12 07:59:23 +0000 )edit

One example of attaching the info and calling the dissector is in packet-catapult-dct2000.c

You prepare the struct then call set_mac_nr_proto_data(). packet-catapult-dct2000.c does this in 2 places, the 2nd one is more general.

MartinM gravatar imageMartinM ( 2025-09-12 08:32:26 +0000 )edit

Has this worked for you?

MartinM gravatar imageMartinM ( 2025-09-15 18:58:41 +0000 )edit

For SI_RNTI, I'm able to get MAC NR BCCH PDU. However it is not parsing further RRC messages.

pcap_enjoyer gravatar imagepcap_enjoyer ( 2025-09-16 10:25:02 +0000 )edit

You need to set rnti, rntitype, direction - but also check the dissector preferences for mac-nr. You need to check the box to treat low LCID values as SRB. After that you might need to check rlc-nr and pdcp-nr settings too.

MartinM gravatar imageMartinM ( 2025-09-16 11:58:32 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-09-09 10:31:23 +0000

Seen: 7,876 times

Last updated: Sep 11

Related questions

how to invert two bytes in lua script dissector ?

How do I get and display packet data information at a specific byte from the first byte?

why protocol is not showing as HTTP even though we sent http request ?

Adjusting Bit order and Endianess in LUA between Dissectors

How do I add "child item" to an item in the subtree?

PRP Dissector and FCS

Use a UDP payload dissector depending on ip addresses

Reuse (part of) a Wireshark Dissector

Heuristic dissector not called

How do I dissect multiple packets?