This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Use Wireshark as a decoder

0

Hi Everyone,

I have a task to write an application that would take an encoded RRC (3GPP protocol) message, translate it to some human readable format(text, xml, etc) and store it in the database.

The question is can Wireshark be used by a 3rd party application as a protocol decoder? Does it have any kind of API that can be used by external application?

If that is possible can you please direct me to the right source of information?

/Alex

asked 10 Jan '15, 09:56

Alexander's gravatar image

Alexander
6114
accept rate: 0%

One Answer:

2

Yes you can use text2pcap + tshark to achieve this. Look at this thread for details.

For RRC protocol, here is the list of applicable payload protocols:

rrc.dl.dcch, rrc.ul.dcch, rrc.dl.ccch, rrc.ul.ccch, rrc.pcch, rrc.dl.shcch, rrc.ul.shcch, rrc.bcch.fach, rrc.bcch.bch, rrc.mcch, rrc.msch, rrc.sysinfo, rrc.sysinfo.cont, rrc.si.mib, rrc.si.sib1, rrc.si.sib2, rrc.si.sib3, rrc.si.sib4, rrc.si.sib5, rrc.si.sib5bis, rrc.si.sib6, rrc.si.sib7, rrc.si.sib8, rrc.si.sib9, rrc.si.sib10, rrc.si.sib11, rrc.si.sib11bis, rrc.si.sib12, rrc.si.sib13, rrc.si.sib13-1, rrc.si.sib13-2, rrc.si.sib13-3, rrc.si.sib13-4, rrc.si.sib14, rrc.si.sib15, rrc.si.sib15bis, rrc.si.sib15-1, rrc.si.sib15-1bis, rrc.si.sib15-2, rrc.si.sib15-2bis, rrc.si.sib15-2ter, rrc.si.sib15-3, rrc.si.sib15-3bis, rrc.si.sib15-4, rrc.si.sib15-5, rrc.si.sib15-6, rrc.si.sib15-7, rrc.si.sib15-8, rrc.si.sib16, rrc.si.sib17, rrc.si.sib18, rrc.si.sib19, rrc.si.sib20, rrc.si.sib21, rrc.si.sib22, rrc.si.sb1, rrc.si.sb2, rrc.irat.ho_to_utran_cmd, rrc.irat.irat_ho_info, rrc.ue_radio_access_cap_info

answered 10 Jan '15, 10:17

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

Hi Pascal,

Thanks for the idea. It looks like an option but I assume it will have performance problems for a large amount of messages since at least two intermediate files need to be created. Is there any library that would provide the functionality you described above in the form of API functions calls?

Thanks

A

(10 Jan '15, 14:45) Alexander

No there is no official API. You will need to link directly libwireshark.dll (meaning that your program will now be GPL) and dive in the source code to find the entry points are they are not documented (other than the comments).

(10 Jan '15, 15:02) Pascal Quantin

One more question. How to find the right protocol decoder(you listed above) having the RRC message type name (e.g. RRCConnectionRequest)? Can wireshark some how help with such mapping?

Thanks!

(11 Jan '15, 04:23) Alexander

The mapping is given in 3GPP 25.331 ASN.1 definition. For example a RRC Connection Request is a rrc.ul.ccch message. You can also find a copy of the ASN.1 description used by Wireshark here: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=asn1/rrc/Class-definitions.asn;hb=refs/heads/master

By the way, you are referring to the 3G RRC right? Not the LTE version? Because if it's the LTE version you are interested in, the payload protocols are different.

(11 Jan '15, 07:34) Pascal Quantin

LTE for now, 3G I will need as well but a bit later. So need both.

(11 Jan '15, 07:53) Alexander

Then the protocol payloads are: lte-rrc.bcch.bch, lte-rrc.bcch.dl.sch, lte-rrc.pcch, lte-rrc.dl.ccch, lte-rrc.dl.dcch, lte-rrc.ul.ccch, lte-rrc.ul.dcch, lte-rrc.mcch. Those are the top levels PDUs as found in the ASN.1 description.

The ASN.1 description can be found in 3GPP 36.331. The one used by Wireshark development builds is: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=asn1/lte-rrc/EUTRA-RRC-Definitions.asn;hb=refs/heads/master

(11 Jan '15, 08:44) Pascal Quantin

Pascal, Thanks a lot!

(11 Jan '15, 10:26) Alexander
showing 5 of 7 show 2 more comments