This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Problem with MMS disector

0

I have captures of MMS (Manufacturer Messagges Specificatiom) messagges that wireshark can't solve correctly (i.e., the MMS dissector doesn´t recognizes as MMS messagges). What can I do?

asked 27 Jan '11, 07:25

cgalli's gravatar image

cgalli
1111
accept rate: 0%

Another related question: why MMS protocol is not available in the "Decode As Dialog Box"?

(27 Jan '11, 10:33) cgalli
1

What protocol carries your MMS packets? Looking at the source code it looks like the MMS dissector runs on top of COTP or is called by OID 1.0.9506.2.3.

(31 Jan '11, 04:38) Anders ♦

You're right. In fact, Wireshark dissects the messagges down to ISO8823 OSI Presentation Protocol, but the presentation data can't be decoded as MMS. It's pretty odd. I cant't see why.

(31 Jan '11, 06:07) cgalli
1

You could write a bug report at https://bugs.wireshark.org/bugzilla including your trace so one of the developers can take a look at it. You can mark the bug as private to limet vissiblity to core developers if yo wish.

(31 Jan '11, 12:44) Anders ♦

thanks for your help and interest.

(01 Feb '11, 04:03) cgalli

MMS isn't available in "Decode As" because there's no general "Decode As" mechanism - "Decode As" knows about particular types of handoff, and COTP -> xxx is not currently one of them.

(10 Aug '11, 20:55) Guy Harris ♦♦

what parameters "tshark" should have to get the result as setting "Context-Id = 3 Syntax Name OID = 1.0.9506.2.3" on wireshark interface?

(14 Sep '11, 05:59) ylda_ljm0620
showing 5 of 7 show 2 more comments

2 Answers:

1

I was also having problems with this, if your capture does not contain a reference to the context, that is, if it only contains data packets, the current version of wireshark can't determine how to decode the PDU.

To force the presentation layer to decode as MMS, go to Preferences->Protocols->Presentation->User Context List and add a new element with

Context-Id = 3 Syntax Name OID = 1.0.9506.2.3

I think this is your bug , closed as worksforme by Anders.

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5642

Not sure why his build would decode your capture properly, but mine didn't.

With this additional user context table, it looks like your file decodes properly. Full decode can be viewed, but I only printed summary decode.

$ tshark  -R mms -r  ~/Downloads/d400_p132_pulseOFF.pcap 
 43   1.158915 192.168.100.5 -> 192.168.100.51 MMS 122 confirmed-RequestPDU 
 45   1.177820 192.168.100.51 -> 192.168.100.5 MMS 176 confirmed-ResponsePDU 
 47   1.179104 192.168.100.5 -> 192.168.100.51 MMS 122 confirmed-RequestPDU 
 50   1.210306 192.168.100.51 -> 192.168.100.5 MMS 584 confirmed-ResponsePDU 
120   3.324338 192.168.100.5 -> 192.168.100.51 MMS 122 confirmed-RequestPDU 
122   3.344161 192.168.100.51 -> 192.168.100.5 MMS 176 confirmed-ResponsePDU 
124   3.345619 192.168.100.5 -> 192.168.100.51 MMS 122 confirmed-RequestPDU 
128   3.376620 192.168.100.51 -> 192.168.100.5 MMS 584 confirmed-ResponsePDU 
191   5.487764 192.168.100.5 -> 192.168.100.51 MMS 122 confirmed-RequestPDU 
195   5.498507 192.168.100.51 -> 192.168.100.5 MMS 176 confirmed-ResponsePDU 
199   5.531221 192.168.100.5 -> 192.168.100.51 MMS 122 confirmed-RequestPDU 
201   5.550969 192.168.100.51 -> 192.168.100.5 MMS 584 confirmed-ResponsePDU 
243   6.521548 192.168.100.5 -> 192.168.100.51 MMS 128 confirmed-RequestPDU 
248   6.540381 192.168.100.51 -> 192.168.100.5 MMS 215 confirmed-ResponsePDU 
250   6.541320 192.168.100.5 -> 192.168.100.51 MMS 138 confirmed-RequestPDU 
252   6.564611 192.168.100.51 -> 192.168.100.5 MMS 99 confirmed-ResponsePDU 
253   6.565149 192.168.100.5 -> 192.168.100.51 MMS 138 confirmed-RequestPDU 
254   6.567676 192.168.100.51 -> 192.168.100.5 MMS 99 confirmed-ResponsePDU 
255   6.568880 192.168.100.5 -> 192.168.100.51 MMS 318 confirmed-RequestPDU 
258   6.590589 192.168.100.51 -> 192.168.100.5 MMS 106 confirmed-ResponsePDU 
259   6.592193 192.168.100.5 -> 192.168.100.51 MMS 170 confirmed-RequestPDU 
261   6.614112 192.168.100.51 -> 192.168.100.5 MMS 159 unconfirmed-PDU 
262   6.615719 192.168.100.51 -> 192.168.100.5 MMS 97 confirmed-ResponsePDU

answered 10 Aug '11, 17:36

iondiode's gravatar image

iondiode
162
accept rate: 0%

Awesome! Thanks. It´s really helpfull. All this time I had to decode de messages manually... really tedious. Again. just thanks.

(11 Aug '11, 03:35) cgalli

-2

What mean WCRTESTINPUT on view trafic tcp stream

answered 11 Aug '11, 04:00

dddddddd's gravatar image

dddddddd
0
accept rate: 0%

Please create a new (coherent) question rather than asking it in an answer to a totally different question.

(11 Aug '11, 05:02) grahamb ♦