Hello to all,
I have a MTP3 pcap file that when I open in Wireshark shows
Frame1
Ethernet
IPV4
MTP2
MTP3
SCCP
TCAP
GSM MAP
I was able to modify the byte 20-23 that is the link-layer header type where in the original file was 01 00 00 00 that is 1=Ethernet. So, I modified from 01 00 00 00 to 8D 00 00 00, where 8D = 141 = MTP3 (http://www.tcpdump.org/linktypes.html)
D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 00 00 04 00 8D 00 00 00
After doing this and removing ethernet, IPV4 and MTP2 bytes the file was successfully understood by Wireshark showing only the following layers.
Frame1
MTP3
SCCP
TCAP
GSM MAP
Now I have another file that has the following layers:
Frame1
Ethernet
IPV4
SCTP
M3UA
SCCP
TCAP
GSM MAP
and I like to remove the ethernet, IPV4 and SCTP layers or at least ethernet and IPV4. I did similar changing the byte 20 from 01=Ethernet to F8 = 248 = SCTP and removing bytes for Ethernet, IPV4 but when I open the file in Wireshark this time says Malformed packet or gives error and cannot be opened.
I would like to get a file that shows only these layers.
Frame1
SCTP
M3UA
SCCP
TCAP
GSM MAP
or
Frame1
M3UA
SCCP
TCAP
GSM MAP
I also try with editcap doing like below with editpcap and when is opened th output in wireshark, appear malformed packet.
editpcap -T sctp input.pcap output.pcap
It is possible to do this?
Thanks for any help.
