This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCAP Decode

0

Hi, I have a trace in which there is no SSN present. hence wireshark fails to decode the upper layers of the SCCP users (TCAP). Would it be possible to manually decode the TCAP portion?

thanks

asked 16 Dec '11, 04:52

chathura's gravatar image

chathura
1112
accept rate: 0%

edited 16 Dec '11, 06:33


One Answer:

0

Modern (1.6.0 and later, IIRC) versions of Wireshark have a "default payload" SCCP preference. Just type "tcap" here and the SCCP dissector will hand the payload to TCAP even when there's no SSN.

answered 16 Dec '11, 07:11

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Hi I have already set the default payload to TCAP in 1.6.4 wireshark version and I still see the data portion not decoded. following is a sample bit stream i am trying to decode.

any help please? 17:19:51,183,649 ETHER |0 |00|a0|a5|68|08|9a|00|00|5e|00|01|03|08|00|45|00|00|b0|c0|9b|40|00|fc|84|1d|5d|cc|1c|ef|08|0c|47|d8|64|5a|64|0b|59|5a|bc|f5|bd|88|22|14|fe|00|03|00|90|00|00|04|bb|00|01|00|16|00|00|00|03|01|00|01|01|00|00|00|80|00|06|00|08|00|00|00|01|02|10|00|6e|00|ee|01|00|00|05|42|1b|03|02|01|ed|09|81|03|0c|15|09|c9|06|0a|91|02|07|87|00|06|09|89|95|0a|41|40|27|95|19|04|44|62|42|48|04|cd|13|02|01|6b|1e|28|1c|06|07|00|11|86|05|01|01|01|a0|11|60|0f|80|02|07|80|a1|09|06|07|04|00|00|01|00|0e|03|6c|1a|a1|18|02|01|01|02|01|38|30|10|80|08|13|60|04|01|51|86|66|f6|02|01|03|83|01|01|00|00|

thanks

(16 Dec '11, 07:22) chathura

(I converted your "answer" into a "comment".)

Can you paste a text2pcap-friendly version of that packet?

Can I assume that it IS decoding up to the SCCP layer, just not TCAP and higher?

(16 Dec '11, 09:34) JeffMorriss ♦

Hi, its working now. you need to type in using lower case (tcap) and then only it works. I typed TCAP in uppercase and couldnt see the upper layers getting decoded.

Thanks for the quick response appreciate it.

(19 Dec '11, 03:18) chathura

If the answer answered your question, don't forget to stop by and mark it as Accepted.

(09 Mar '12, 07:00) JeffMorriss ♦