Ask Your Question
0

Is possible to remove layers/headers from pcap?

asked 2018-12-21 06:06:59 +0000

cgkas gravatar image

updated 2018-12-21 06:16:02 +0000

Hello to all,

Having a pcap with layers like below and even ethernet layer, is possible to remove the first 3 headers, this is

Linux cooked capture
IPv4
SCTP

and leave only the layers from MTP3 to GSM MAP?

In other word, pass from first image to second image, in order that when I open the editted pcap in Wireshark shows only these layers?

MTP3
SCCP
TCAP
GSM Mobie Application
GSM SMS

Thanks for any help.

image description

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-12-21 06:29:54 +0000

Anders gravatar image

Use exported PDU in the file menu.

edit flag offensive delete link more

Comments

Thanks for answer Anders.

The original packet has:

Frame X
Ethernet II
IPv4
SCTP
MTP2
MTP3
SCCP
TCAP
MAP

When I try Export PDUs to file and select "OSI layer 3" changes to

Frame X
EXPORTED_PDU
MTP2
MTP3
SCCP
TCAP
MAP

And I want to visualize in the following way, if possible only showing this layers?

Frame X
MTP3
SCCP
TCAP
MAP

The thing is I have several hex dump that I need to convert with Text2Pcap, but the data begins in MTP3 layer and when I copy the bytes from Ethernet to MTP2 and then add the MTP3 bytes, when I convert to pcap the first packet looks correct but the others appear as RETRANSMISSION ansdI think this is because has the same values for previous layer (SCTP, MTP2, etc)

cgkas gravatar imagecgkas ( 2018-12-21 16:03:48 +0000 )edit

Using text2pcap I think you can use a user dlt and then tie his user dlt to mtp3 in Wiresharks GUI.

Anders gravatar imageAnders ( 2018-12-21 20:04:00 +0000 )edit

I tried user DLT in Export PDU to file option and in filter I put MTP3 but after that everything disappears.

cgkas gravatar imagecgkas ( 2018-12-21 20:58:17 +0000 )edit

You can use tex2pcap to covert your HEX dump to an User dlt with mtp3 as payload then define that dlt in wireshark to be decoded as mtp3. No Need for exported pdu. But if you have a trace with the full stack you can shave layers off with exported pdu.

Anders gravatar imageAnders ( 2018-12-21 23:13:04 +0000 )edit

Thanks Anders for your suggestions.

cgkas gravatar imagecgkas ( 2018-12-23 01:39:50 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-12-21 06:06:59 +0000

Seen: 215 times

Last updated: Dec 21 '18