Ask Your Question

Is 5G NGAP/NAS Registration decode broken in 2.9.1.x versions

asked 2019-02-04 19:01:52 +0000

James gravatar image

I just upgraded from 2.9.0 to 2.9.1 and can no longer decode 5G NGAP/NAS Registration msgs(Malformed Packet: NAS-5GS). I couldn't find the earlier versions of wireshark either and unfortunately I didn't stash the win64 .exe anywhere on my laptop. Are the older versions stored anywhere and still available.

edit retag flag offensive close merge delete



Frame 866: 150 bytes on wire (1200 bits), 150 bytes captured (1200 bits) on interface 1
    Ethernet II, Src: SuperMic_0d:f5:81 (0c:c4:7a:0d:f5:81), Dst: IETF-VRRP-VRID_c3 (00:00:5e:00:01:c3)
    Internet Protocol Version 4, Src:, Dst:
    Stream Control Transmission Protocol, Src Port: 38412 (38412), Dst Port: 38412 (38412)
    NG Application Protocol
        NGAP-PDU: initiatingMessage (0)
                procedureCode: id-InitialUEMessage (15)
                criticality: ignore (1)
                        protocolIEs: 4 items
                            Item 0: id-RAN-UE-NGAP-ID
                                    id: id-RAN-UE-NGAP-ID (85)
                                    criticality: reject (0)
                                        RAN-UE-NGAP-ID: 1
                            Item 1: id-NAS-PDU
                                    id: id-NAS-PDU (38)
                                    criticality: reject (0)
                                        NAS-PDU: 7e00410111070d0164f003ff0f000000100001101001012e…
                                        Non-Access-Stratum 5GS (NAS)PDU
                                            Plain NAS 5GS Message
                                                Extended protocol discriminator: 5G mobility management messages (126)
                                                0000 .... = Spare Half Octet: 0
                                                .... 0000 = Security header type: Plain NAS message, not security protected (0)
                                                Message type: Registration request (0x41)
                                                ...0 .... = Follow-On Request bit (FOR): No ...
James gravatar imageJames ( 2019-02-04 19:03:37 +0000 )edit

@James, Oops, when reformatting your comment I might have chopped a bit off, sorry.

You can see all released versions here and the last few automated builds in the automated directory here.

grahamb gravatar imagegrahamb ( 2019-02-04 20:22:39 +0000 )edit

Which version of NAS-5GS is using your product? Wireshark 2.9.1 is currently being upgraded to December 18 releases, that probably introduced some non backward compatible changes.

Pascal Quantin gravatar imagePascal Quantin ( 2019-02-04 21:22:12 +0000 )edit

Ok - that may be the reason. I believe we're only at June or Sept levels. I found the 2.9.0 versions. Thanks.

James gravatar imageJames ( 2019-02-04 23:44:04 +0000 )edit

hi, @James, could you kindly share a valid 5GS registration message pcap ? I tried to construct one by hand as following octets but it failed to be decoded by wirehsark : 0x7E,0x00,0x41,0x01,0x0B,0xF2,0x64,0xF6,0x29,0x5A,0xB6,0xA1,0x89,0x67,0x45,0x23

biruei.chiu gravatar imagebiruei.chiu ( 2019-02-25 04:52:12 +0000 )edit

1 Answer

Sort by » oldest newest most voted

answered 2019-02-04 23:41:44 +0000

James gravatar image

I did find the earlier versions of Wireshark to download: For some reason I had this one bookmarked:

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-02-04 19:01:52 +0000

Seen: 1,630 times

Last updated: Feb 04 '19