Can be deleted layers that are before SCTP?
Hello to all,
I have a MTP3 pcap file that when I open in Wireshark shows
Frame1
Ethernet
IPV4
MTP2
MTP3
SCCP
TCAP
GSM MAP
I was able to modify the byte 20-23 that is the link-layer header type where in the original file was 01 00 00 00
that is 1=Ethernet. So, I modified from 01 00 00 00
to 8D 00 00 00
, where 8D = 141 = MTP3 (http://www.tcpdump.org/linktypes.html)
D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 00 00 04 00 8D 00 00 00
After doing this and removing ethernet, IPV4 and MTP2 bytes the file was successfully understood by Wireshark showing only the following layers.
Frame1
MTP3
SCCP
TCAP
GSM MAP
Now I have another file that has the following layers:
Frame1
Ethernet
IPV4
SCTP
M3UA
SCCP
TCAP
GSM MAP
and I like to remove the ethernet, IPV4 and SCTP layers or at least ethernet and IPV4. I did similar changing the byte 20 from 01=Ethernet to F8 = 248 = SCTP and removing bytes for Ethernet, IPV4 but when I open the file in Wireshark this time says Malformed packet or gives error and cannot be opened.
I would like to get a file that shows only these layers.
Frame1
SCTP
M3UA
SCCP
TCAP
GSM MAP
or
Frame1
M3UA
SCCP
TCAP
GSM MAP
I also try with editcap doing like below with editpcap and when is opened th output in wireshark, appear malformed packet.
editpcap -T sctp input.pcap output.pcap
It is possible to do this?
Thanks for any help.
It's probably not going to work because of the link layer type. Wireshark needs to know what the first layer of the packet contains, and that's what the link layer type does - so there's probably no LL type for SCTP or M3UA, and so Wireshark cannot dissect the modified packets. Out of curiosity - why do you want to do this at all? To save space, or to remove the Ethernet/IP addresses?
Hello Jasper, there is Link-layer header type for SCTP that is 248, so I don't know how to constuct a PCAP with LL header type 248 to work in Wireshark. I have some traces from another tool that only gives the binary data for M3UA/SCCP/TCAP/MAP. This tool doesn't give the information for Ethernet, IPV4 nor SCTP and since I want to convert this hex stream into pcap format I need a way to show the trace without Ethernet, IPV4 and SCTP and to save space is another good reason.
Does the HowToDissectAnything wiki page help?
Thanks cmaynard for the info shared. It gave me some light to do this. Regards