Ask Your Question

sinaowolabi's profile - activity

overview network karma followed questions activity
2021-07-29 08:44:12 +0000 received badge  Supporter (source)
2021-07-27 07:09:33 +0000 marked best answer Filter for empty SMPP messages

Hi, I am trying to construct a filter for incoming smpp messages that are empty and are the first message in. From the logs, when the smpp packet is decoded, I have messages that look like this:

2021-03-16T07:30:02+0100 [SmppTransceiverProtocol,client] INCOMING << {'body': {'mandatory_parameters': {'priority_flag': 0, 'source_addr': '2341231231234', 'protocol_id': 0, 'replace_if_present_flag': 0, 'registered_delivery': 0, 'dest_addr_ton': 'unknown', 'source_addr_npi': 'unknown', 'schedule_delivery_time': '', 'dest_addr_npi': 'unknown', 'sm_length': 0, 'esm_class': 24, 'data_coding': 15, 'service_type': 'USSD', 'source_addr_ton': 'unknown', 'sm_default_msg_id': 0, 'validity_period': '', 'destination_addr': '456', 'short_message': None}, 'optional_parameters': [{'length': 2, 'tag': 'its_session_info', 'value': '546e'}, {'length': 1, 'tag': 'ussd_service_op', 'value': '05'}]}, 'header': {'command_status': 'ESME_ROK', 'command_length': 64, 'sequence_number': 15682, 'command_id': 'deliver_sm'}}

And the values (I think) of interest, should be the "'data_coding': 15", and the ''short_message': None' parts. But I am having trouble matching these in a Wireshark filter. So far I've come up with permutations of this type: 'smpp.data_coding eq 15 and smpp.ussd_service_op eq 0x05 and smpp.sm_default_msg_id eq 0' Which unfortunately keep catching messages that do not have empty or null content. Please can someone help me correct or properly define this? If I could understand how properly to use the optional parameters values as well, would be a great help.

Thanks!
2021-07-26 20:17:09 +0000 commented answer Filter for empty SMPP messages

Oh yes! Unfortunately I don't have points enough to accept my own answer.

2021-07-26 20:15:36 +0000 marked best answer Filtering odd-length binary data

Hi!

Im struggling with extracting information from Wireshark. I need to be able to differentiate between correctly formatted tcp packet data, and incorrectly (odd-length) data that an application is receiving. For example, correctly formatted data from app logs looks like this:

2021-07-26T17:21:08+0100 [,client] Working with header 0000005f00000077000000000001fdb9ffffffff
2021-07-26T17:21:08+0100 [,client] Working with packet 0000005f00000077000000000001fdb9ffffffff2001393039313930393034350000000000000000000000393031000000000000
0000000000000000000000002a3930312a36363600000000000000000000000000002a3930312a36363623
2021-07-26T17:21:08+0100 [,client] Working with body 20013930393139303930343500000000000000000000003930310000000000000000000000000000000000002a3930312a36363600
000000000000000000000000002a3930312a36363623

Incorrectly formatted data looks like this (also from the logs):

2021-07-26T17:21:08+0100 [,client] Working with header 0000005f00000077000000000001ba0fffffffff
2021-07-26T17:21:08+0100 [,client] Working with packet 0000005f00000077000000000001ba0fffffffff2001383137303038323034300000000000000000000000393031000000000000
0000000000000000000000002a3930312a36363600000000000000000000000000002a3930312a36363623
2021-07-26T17:21:08+0100 [,client] Working with body 20013831373030383230343000000000000000000000003930310000000000000000000000000000000000002a3930312a36363600
000000000000000000000000002a3930312a36363623
2021-07-26T17:21:08+0100 [,client] 'Error parsing packet (Odd-length string): 0000005f00000077000000000001ba0fffffffff20013831373030383230343000000000000000000000003930310000000000000000000000000000000000002a3930312a36363600000000000000000000000000002a3930312a36363623'

How can I filter out and present the packets that contain the odd length strings, from the tcp data?

With hindsight, I guess I am asking how do I write a display filter to capture binary data that looks contains this: 2a3930312a363636000 ?

Thanks, I hope I am clear!
2021-07-26 20:15:36 +0000 received badge  Scholar (source)
2021-07-26 20:15:31 +0000 commented answer Filtering odd-length binary data

Oh right thanks a lot

2021-07-26 18:03:18 +0000 commented answer Filtering odd-length binary data

Wow, that's exactly what I am trying to show (and what the application is rejecting as odd-length packet). Please how di
2021-07-26 17:51:52 +0000 commented answer Filter for empty SMPP messages

Sorry about that :-) Work was/is crazy. Also is crazy is my not wanting to leave anything unanswered, no matter how long
2021-07-26 17:48:19 +0000 received badge  Editor (source)
2021-07-26 17:48:19 +0000 edited question Filtering odd-length binary data

Filtering odd-length binary data Hi! Im struggling with extracting information from Wireshark. I need to be able to dif
2021-07-26 17:45:33 +0000 answered a question Filter for empty SMPP messages

smpp.data_coding == 0x0f and smpp.ussd_service_op == 0x05 really helped, with other smpp filtering combinations.

2021-07-26 17:45:33 +0000 commented question Filter for empty SMPP messages

Yes it was, and I was able to pull out the SMPP data needed

2021-07-26 17:45:32 +0000 asked a question Filtering odd-length binary data

Filtering odd-length binary data Hi! Im struggling with extracting information from Wireshark. I need to be able to dif
2021-03-18 07:43:56 +0000 commented question Filter for empty SMPP messages

Its a log from an SMPP client.

2021-03-16 19:19:21 +0000 asked a question Filter for empty SMPP messages

Filter for empty SMPP messages Hi, I am trying to construct a filter for incoming smpp messages that are empty and are t
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2