Hello team, I want to decode the below type SS7 Signaling, this is I copied from wireshark bottom frame. I need each layer (MTP3,SCCP, TCAP and MAP) decoding tutorial, Request you to help at the earliest Thanks, Hanosh varghese asked 17 Oct '14, 03:06  Hanosh edited 17 Oct '14, 03:52  Jaap ♦ |
One Answer:
Well, the best way to learn how to decode the messages is simply to read the specs. In the case of MTP3 and SCCP this is pretty easy: just read ITU Q.704 (MTP3) and Q.713 (assuming you're using ITU MTP3). Things will get much more complicated with TCAP and MAP, however. You'd be best to start off with an ASN.1 tutorial. But: why bother? Wireshark's very good at doing the decoding for you. answered 17 Oct '14, 06:40  JeffMorriss ♦ showing 5 of 6 show 1 more comments |
Hi,
Thanks for the quick response,
Your assumption is correct, we are using ITU-MTP3. Referring this document, I hope I can able decode TCAP and MAP as well.
Wireshark is an excellent tool for the GUI, Decoding / Encoding and trouble shooting ..etc but my hardware driver provides only MTP3 raw msu only, that is why I have to pack the MAP msu in the MTP3 layer and respond back to the network.
Earlier, I observed that in the ETC msu of the ITU-CAMEL v3, some parameters are not list in details like NAI, NP ...etc. Kindly forward this suggestion to concerned departments. field name as camel.assistingSSPIPRoutingAddress and it's value as 12:03:19:89:74:79:50:17 but when I taken the MSC tracer it shows each parameters separately.
Hanosh
Oof, actually writing an application is a whole separate problem. As mentioned MTP and SCCP are simple enough. Even TCAP's not too bad but getting into MAP and CAMEL is really a pain (IMO). This is why people (like my employer) sell SS7 stacks. ;-)
I admit I don't know a lot about CAMEL. But if you find the decoding to be insufficient you can always open a bug report including a sample capture and maybe someone can improve it.
Hi,
Following is a camel MTP3 hex which I taken from wireshark, I need to extract the extension field value from IDP msu of the camel version 2, in this trace this is the value of extension field (actually it is a imei number ) 04 08 53 66 89 10 50 03 04 78, the following are the total hex dump..
Kindly help anyone to take this parameter exactly
0000 c3 f8 77 3f 25 09 81 03 0e 19 0b 12 92 00 12 04 ..w?%........... 0010 19 99 16 90 99 01 0b 12 92 00 12 04 19 09 29 00 ..............). 0020 04 00 bf 62 81 bc 48 04 00 35 37 0a 6b 1a 28 18 ...b..H..57.k.(. 0030 06 07 00 11 86 05 01 01 01 a0 0d 60 0b a1 09 06 ...........`.... 0040 07 04 00 00 01 00 32 01 6c 81 97 a1 81 94 02 01 ......2.l....... 0050 01 02 01 00 30 81 8b 80 01 32 83 08 04 13 19 07 ....0....2...... 0060 29 06 06 00 85 01 04 8a 08 04 13 19 09 29 00 04 )............).. 0070 00 af 14 30 12 06 04 04 c2 7b 0c a1 0a 04 08 53 ...0.....{.....S 0080 66 89 10 50 03 04 78 bb 05 80 03 80 90 a3 9c 01 f..P..x......... 0090 02 9f 32 08 04 85 25 40 53 60 78 f2 bf 34 17 02 ..2...%@S`x..4.. 00a0 01 00 81 07 91 19 09 29 00 04 00 a3 09 80 07 04 .......)........ 00b0 25 58 00 08 22 aa bf 35 03 83 01 11 9f 36 05 20 %X.."..5.....6. 00c0 60 b1 5d 23 9f 37 07 91 19 09 29 00 04 00 9f 38 `.]#.7....)....8 00d0 06 81 09 29 00 55 24 9f 39 08 02 41 11 01 61 13 ...).U$.9..A..a. 00e0 63 22Thanks, Hanosh Varghese
This is not A Wireshark question it's question on how to design an application... You probably need a full protocol stack up to Camel to do what you want or use tshark and parse the text output. But I would not recomend that for any real time application running for a long time.
Ok, I understood the limitation of this forum, If anybody can share more on this decoding that would be very helpful
Thanks
What I have done in the past is leap-frog from one part of the packet to the next, checking opcodes along the way, to get to a specific field buried under a mountain of ASN.1 and either modify the contents therein, or take some conditional action based on the value found.
So if you are looking for the IMEI within a CAMEL packet, I would start with the MTP3 SIO. Look for 0111 as the lower four bits (SCCP). Now look for the 09 (unitdata) after the SLS. Now look for the "pointer to data" which will be two octets downstream from the UDT. Now from the pointer-data, skip forward that many octets to land on the first octet of TCAP. Now skip over the TID. Skip over the dialog portion (6b) if present. Ideally, you'll land on the component portion (6c). Skip over the invoke ID to get to the opcode. Now start parsing CAMEL, skipping forward until you see the opcode you're looking for.
It's dirty, but the alternative is to implement a full MTP3/SCCP/TCAP/CAMEL stack which I can assure will be expensive (or take a long time).
In your example, above I can see the UNITDATA (09) is at offset 5. The next octet is the error handling / class (81) which means "return on error, class 1". Class 1 messaging means that the sender wants the packet to take the same path through the network, lest messages arrive out of order. TCAP starts at offset 34. The dialog portion (6b) starts at offset 44. The component portion (6c) starts at offset 72. It's an Invoke (a1). Invoke ID 01. Opcode 00 (CAMEL / IDP)...