Can be deleted layers that are before SCTP?

asked 2019-01-21 21:59:45 +0000

cgkas gravatar image

Hello to all,

I have a MTP3 pcap file that when I open in Wireshark shows

Frame1 Ethernet IPV4 MTP2 MTP3 SCCP TCAP GSM MAP

I was able to modify the byte 20-23 that is the link-layer header type where in the original file was 01 00 00 00 that is 1=Ethernet. So, I modified from 01 00 00 00 to 8D 00 00 00, where 8D = 141 = MTP3 (http://www.tcpdump.org/linktypes.html)

D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 00 00 04 00 8D 00 00 00

After doing this and removing ethernet, IPV4 and MTP2 bytes the file was successfully understood by Wireshark showing only the following layers.

Frame1 MTP3 SCCP TCAP GSM MAP

Now I have another file that has the following layers:

Frame1 Ethernet IPV4 SCTP M3UA SCCP TCAP GSM MAP

and I like to remove the ethernet, IPV4 and SCTP layers or at least ethernet and IPV4. I did similar changing the byte 20 from 01=Ethernet to F8 = 248 = SCTP and removing bytes for Ethernet, IPV4 but when I open the file in Wireshark this time says Malformed packet or gives error and cannot be opened.

I would like to get a file that shows only these layers.

Frame1 SCTP M3UA SCCP TCAP GSM MAP

or

Frame1 M3UA SCCP TCAP GSM MAP

I also try with editcap doing like below with editpcap and when is opened th output in wireshark, appear malformed packet.

editpcap -T sctp input.pcap output.pcap

It is possible to do this?

Thanks for any help.

edit retag flag offensive close merge delete

Comments

It's probably not going to work because of the link layer type. Wireshark needs to know what the first layer of the packet contains, and that's what the link layer type does - so there's probably no LL type for SCTP or M3UA, and so Wireshark cannot dissect the modified packets. Out of curiosity - why do you want to do this at all? To save space, or to remove the Ethernet/IP addresses?

Jasper gravatar imageJasper ( 2019-01-22 15:29:58 +0000 )edit

Hello Jasper, there is Link-layer header type for SCTP that is 248, so I don't know how to constuct a PCAP with LL header type 248 to work in Wireshark. I have some traces from another tool that only gives the binary data for M3UA/SCCP/TCAP/MAP. This tool doesn't give the information for Ethernet, IPV4 nor SCTP and since I want to convert this hex stream into pcap format I need a way to show the trace without Ethernet, IPV4 and SCTP and to save space is another good reason.

cgkas gravatar imagecgkas ( 2019-01-22 16:02:15 +0000 )edit

Does the HowToDissectAnything wiki page help?

cmaynard gravatar imagecmaynard ( 2019-01-22 21:15:00 +0000 )edit

Thanks cmaynard for the info shared. It gave me some light to do this. Regards

cgkas gravatar imagecgkas ( 2019-01-23 06:41:49 +0000 )edit
add a comment