This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Split multiple PDU’s in a frame into separate frames?

0

I am capturing MAP, CAMEL, BSSAP, RANAP etc... When the frames come through there are more often than not multiple protocol messages included in a single frame (example below). What I am wondering is there any way in wireshark to split the frame and display only 1 protocol at a time. So as below there is M3UA:SCCP:TCAP:GSM_MAP:M3UA:SCCP:TCAP:GSM_MAP would like to see 2 messages M3UA:SCCP:TCAP:GSM_MAP and M3UA:SCCP:TCAP:GSM_MAP

[Protocols in frame: eth:ethertype:ip:sctp:m3ua:sccp:tcap:gsm_map:m3ua:sccp:tcap:gsm_map]

Frame 1134: 406 bytes on wire (3248 bits), 406 bytes captured (3248 bits) on interface 0 Interface id: 0 ({6B391584-8061-4004-84B2-5D9975BA121D}) Encapsulation type: Ethernet (1) Arrival Time: Jul 18, 2016 08:55:56.493430000 Central Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1468850156.493430000 seconds [Time delta from previous captured frame: 0.000149000 seconds] [Time delta from previous displayed frame: 0.027730000 seconds] [Time since reference or first frame: 2.027353000 seconds] Frame Number: 1134 Frame Length: 406 bytes (3248 bits) Capture Length: 406 bytes (3248 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:sctp:m3ua:sccp:tcap:gsm_map:m3ua:sccp:tcap:gsm_map] Ethernet II, Src: CiscoInc_a9:f3:c0 (00:19:07:a9:f3:c0), Dst: ba:f3:f1:1b:ec:57 (ba:f3:f1:1b:ec:57) Internet Protocol Version 4, Src: 192.168.124.5, Dst: 192.168.123.37 Stream Control Transmission Protocol, Src Port: m3ua (2905), Dst Port: 50497 (50497) MTP 3 User Adaptation Layer [ANSI_STANDARD] Signalling Connection Control Part Transaction Capabilities Application Part GSM Mobile Application Stream Control Transmission Protocol MTP 3 User Adaptation Layer [ANSI_STANDARD] Signalling Connection Control Part Transaction Capabilities Application Part GSM Mobile Application

asked 18 Jul ‘16, 07:41

Michael%20Pierotti's gravatar image

Michael Pier…
6335
accept rate: 0%

edited 18 Jul ‘16, 08:58

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

2

Take a look at the exported pdu functionality in the latest wireshark version.

answered 18 Jul '16, 09:25

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

Which version? I am running 2.0.4

(18 Jul '16, 09:41) Michael Pier...

Grahamb..... Wow, yeah OSI Layer 3 and I got exactly what I wanted!

(18 Jul '16, 10:24) Michael Pier...