This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter MAP request by msisdn and its response

0

Hi,

Currently I am sending AnyTimeInterrogation to the HLR over a MAP link. I would like to monitor specific queries being made for certain users. So I need to filter by msisdn.

It gets complicated because the answer to the ATI does not contain the msisdn field. The only way to link the query to the answer is by the dtid field in TCAP layer

Any pointers as to how i can do this filter?

A pcap is downloadable from here

https://drive.google.com/file/d/0B9-7ejADsontcmVSLThyOE5YUzg/view?usp=sharing

asked 27 Jul '16, 08:47

mquevedob's gravatar image

mquevedob
6114
accept rate: 0%

edited 27 Jul '16, 14:26

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

2 Answers:

3

< EDIT >
As @JeffMorriss' has pointed out in his Answer to another Question (many thanks), the TCAP dissector has this as an embedded functionality which, however, is not activated by default. If you activate it, you can filter or find the invoke packet (using a display filter condition like e164.msisdn == "595972123456"), and use a link in the [Stat] part of TCAP dissection to jump to the response (if it is present in the capture).

Using MATE as described in the original Answer kept below, you can directly filter or find the returnResultLast response up to the msisdn (using a display filter condition tcap_dialog.msisdn == "595972123456") regardless whether the TCAP ¨dissector's embedded cross-reference functionality is activated or not (because the MATE configuration duplicates it), as MATE adds to packet dissection metafields whose sources are fields of related other packets.

Either way, it must be possible to recognize that the SCCP calling address of the invoke is the same as the SCCP called address of the returnResultLast - if some Global Title Translation changes the SCCP called address of the response (e.g. from E.164 number alone to point code alone), the tcap transaction id alone is not sufficient to match the invoke with the returnResultLast.
< /EDIT >

If you need to filter PDUs by fields which are not directly present in them and the existing dissector does not provide any meta-fields for this purpose, MATE is your only way out.

Using MATE, you may group PDUs together by contents of some fields (in your case, the tcap.dtid field), and export values from some other fields (in your case, the gsm_map.msisdn) from the individual PDUs into meta-fields of the group. To avoid confusion, the group meta-fields bear their own names different from those of the source fields in the PDUs. All PDUs which became members of some group can be display-filtered also on the group meta-fields even if the original fields are not directly present in them.

If you need a pushstart, publish a trace with at least two independent requests and responses.

Currently, there are some issues with MATE in tshark, but they may not affect you.

answered 27 Jul '16, 09:10

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 20 Sep '16, 22:35

thanks for the answer! Would you give me some pointers as to how i would have to configure mate in order to filter the outgoing package by msisdn and the incoming packet to match the oid field of the outgoing package?

(27 Jul '16, 09:41) mquevedob

There are no pointers other than the manual already pointed to.

Or, if it has discouraged you, you can accept my proposal from the answer:

If you need a pushstart, publish a trace with at least two independent requests and responses.

Because I won't spend time creating a useless MATE configuration; to put together a useful one, I need the pcap file to debug it.

(27 Jul '16, 09:52) sindy

I have shared a link (on the original post) where you can download the pcap file. Please let me know. And thanks for your support !

(27 Jul '16, 10:02) mquevedob

Here we go:

Pdu map_pdu Proto gsm_map Transport tcap/sccp {
    Extract trans_id From tcap.otid;
    Extract trans_id From tcap.dtid;
    Extract msisdn From gsm_map.msisdn ;
};

Gop tcap_dialog On map_pdu Match (trans_id) {
Start(msisdn);
Extra(msisdn);
};


Done;

It is really minimalistic - I am not 100% sure what else on top of TCAP transaction ID has to be checked so that the PDUs could be safely considered a matching request and answer. If you would capture somewhere closer to the HLR and multiple GMSCs would query the same HLR, I guess nothing prevents them from incidentally using the same transaction ID, so the GT of the GMSC should also be part of the Gop key. But integrating that requires more effort because while tcap.otid is only present in the invoke and tcap.dtid is only present in the returnResultLast, the calling and called GT is present in both but with swapped roles, which has to be sorted out using Transform. And you cannot use both GTs without filtering because the GT of the HLR as called in the invoke differs from the GT of the VLR as calling in the returnResultLast, so the (gt,gt) AVPL of the invoke and returnResultLast would differ, preventing the PDUs from matching the same GoP key. Plus this analysis completely ignores cases where one of the SCCP (calling, called) would e.g. not contain the GT but just the point code.

This MATE configuration (Edit->Preferences->Protocols->Mate->Configuration Filename, followed by OK and starting a new instance of Wireshark), allows you to use a display filter mate.tcap_dialog.msisdn == “91:95:95:17:41:01:10” to filter an invoke/returnResultLast pair by msisdn. Unfortunately, the format is like this and cannot be changed as this is how the gsm_map dissector provides it.

(27 Jul ‘16, 14:24) sindy
1

Wow, as it turned out to be impossible to achieve the goal of Extracting both SCCP called and SCCP calling into two AVPs of the same name but, depending on presence of other fields allowing to discriminate between invoke and returnResultLast, keeping as part of the Gop key only that one of the two which represented the GMSC using Transform, I’ve discovered another feature of MATE not explicitly mentioned in the documentation.

Apparently it is possible to define several MATE Pdus of the same type but with different description, and get all of them created in parallel from the very same source PDU. So together with the possibility to Accept a Pdu depending on an AVPL match, it is possible to Extract a (gmsc_gt, trans_id) AVPL from (sccp.calling.digits, tcap.otid) in one case and from (sccp.called.digits, tcap.dtid) in another, and Accept only the one whose AVPL contains the trans_id. So effectively, for the invoke where only the tcap.otid is present, the value of the gmsc_gt AVP is taken from the sccp.calling.digits, while for the returnResultLast, it is taken from the sccp.called.digits because in that message, only the tcap.dtid is present.

So the result is as follows:

Pdu map_msg Proto gsm_map Transport tcap/sccp {
Extract trans_id From tcap.otid;
Extract gmsc_gt From sccp.calling.digits;
Extract msisdn From gsm_map.msisdn;
Criteria Accept Strict (trans_id);
};


Pdu map_msg Proto gsm_map Transport tcap/sccp {
Extract trans_id From tcap.dtid;
Extract gmsc_gt From sccp.called.digits;
Criteria Accept Strict (trans_id);
};


Gop tcap_dialog On map_msg Match (trans_id,gmsc_gt) {
Start(msisdn);
Extra(msisdn);
};


Done;

I guess I’ll have to update the Wiki accordingly soon.

(27 Jul ‘16, 15:52) sindy

1

This sounds like a job for MATE.

answered 27 Jul '16, 08:59

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%