This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

filter GSM MAP requests and responses with single filter

0

I'm trying to find a proper way to filter requests and responses for GSM MAP operations. So, usualy capture looks like this:

TCAP
     - Transaction ID
     - Components
GSM MAP
 - opCode
 - MSISDN
 - etc</code></pre><p>I.e., GSM MAP is payload of TCAP. I filter requests based on MAP values (opCode and msisdn), such as</p><pre><code>(gsm_map.address.digits == &quot;123456789&quot;) &amp;&amp; (gsm_old.localValue == 45)</code></pre><p>Response comes with the same TCAP Transaction ID, so I manualy extract it from request and filter again:</p><pre><code>tcap.tid == 78:16</code></pre><p>This shows both needed request and response. All this can be done by hand by writing filters twice, as described above. I was wondering if it's possible to write one single filter to extract both requests and responses at once (by using msisdn and opCode as inputs only). Is that possible or should one write a postdissector in Lua to do such tasks?</p></div><div id="question-tags" class="tags-container tags"><span class="post-tag tag-link-filter" rel="tag" title="see questions tagged &#39;filter&#39;">filter</span> <span class="post-tag tag-link-map" rel="tag" title="see questions tagged &#39;map&#39;">map</span> <span class="post-tag tag-link-request" rel="tag" title="see questions tagged &#39;request&#39;">request</span> <span class="post-tag tag-link-response" rel="tag" title="see questions tagged &#39;response&#39;">response</span></div><div id="question-controls" class="post-controls"></div><div class="post-update-info-container"><div class="post-update-info post-update-info-user"><p>asked <strong>11 Oct '12, 06:47</strong></p><img src="https://secure.gravatar.com/avatar/0d235ba4e7903c0e6959c36d85697a77?s=32&amp;d=identicon&amp;r=g" class="gravatar" width="32" height="32" alt="mariusm&#39;s gravatar image" /><p><span>mariusm</span><br />

1111
accept rate: 0%


One Answer:

0

I don't think you can do that with just display filters.

Another way (besides using Lua) would be to use MATE. I'd think you could create a Group Of Packets (GOP) for each MSISDN + opCode and filter on that. Of course you'd probably end up with multiple transactions in each GOP.

answered 11 Oct '12, 10:45

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%