Project

General

Profile

Wireshark » History » Version 13

osmith, 01/09/2019 09:34 AM
link to capture privileges page in wireshark wiki

1 1 osmith
h1. Wireshark
2
3
"wireshark":http://www.wireshark.org/ is a popular Free Software / Open Source protocol analyzer. Among many other protocols, it includes dissectors for the GSM Layer 2 (TS 04.06 / LAPDm) and 3 (TS 04.8 04.08 / RR,MM,CC).
4
5 2 osmith
There also is a [[baseband:GSMTAP]] protocol dissector in recent wireshark versions, which allows real-time capture and decode of GSM protocol messages encapsulated in a GSMTAP (pseudo-header, which is in turn encapsulated in UDP and IP).
6 1 osmith
7
h2. Building from source
8
9
In order to be able to dissect all protocols relevant for Osmocom, you will need to install the *git version* of wireshark (as of writing, the latest stable is 2.6 and it does not yet have "support for GSUP":https://osmocom.org/issues/1949 for example). See #2537 for an effort to ship Debian binary packages with Osmocom patches applied.
10
11
h3. Dependencies
12
13
| Distribution | Necessary packages |
14
| Fedora 28 | @development-tools cmake c-ares-devel glib2-devel libcap-devel libpcap-devel lua libmaxminddb-devel qt5-qtmultimedia-devel qt5-qttools-devel qt5-qtsvg-devel gnutls-devel libssh-devel libgcrypt-devel flex byacc|
15 9 osmith
| Debian | (run @sudo apt-get build-dep wireshark@ to install them automatically)|
16 1 osmith
17
h3. Building and installing
18
19
<pre>
20
$ git clone --depth=1 "https://code.wireshark.org/review/wireshark.git"
21
$ cd wireshark
22 10 osmith
$ mkdir -p cmake-build-dir
23
$ cd cmake-build-dir
24 1 osmith
$ cmake .. -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local
25
$ make
26
$ sudo make install
27 12 osmith
$ sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/local/bin/dumpcap
28 1 osmith
$ sudo ldconfig
29
</pre>
30
31 6 osmith
h2. Configuration
32
33
There are various preferences that need to be set for optimal decoding of the protocols we're interested in:
34
35
<pre>
36
gsm_abis_oml.oml_dialect: ip.access
37
amr.dynamic.payload.type: 126
38
fr.encap: GPRS Network Service
39
iuup.dynamic.payload.type: 103
40
lapd.use_gsm_sapi_values: TRUE
41
gsm_abis_rsl.use_ipaccess_rsl: TRUE
42
sccp.default_payload: bssap
43
</pre>
44
45 8 osmith
h3. Common display filters
46
47
<pre>
48
gsm_abis_oml || gsm_abis_rsl || bssap || mgcp || gsup || rtp || rtcp
49
ipaccess || sccp || sctp
50
gprs_ns || gtp
51
gsmtap || gsmtap_log
52
</pre>
53
54 5 osmith
h2. Workaround for "ICMP port unreachable" messages
55 3 osmith
56
The [[baseband:OsmocomBB]] [[baseband:layer23]] program sends [[baseband:GSMTAP]] packets to the localhost (127.0.0.1) address of the loopback interface (lo).  Please note that the wireshark program is doing passive capture, i.e. if nothing is listening on the GSMTAP UDP port (4729), then you will see ICMP port unreachable messages in addition to the GSMTAP messages.  There are two suggested solutions to this:
57
* Change the IP address to a multicast group like 224.0.0.1 (instead of 127.0.0.1)
58
* Run some program that simply opens the UDP port and discards its content, e.g. using @nc -u -l -p 4729 > /dev/null@
59 1 osmith
60 5 osmith
h2. See also
61 1 osmith
62 13 osmith
* "Wireshark wiki: capture privileges":https://wiki.wireshark.org/CaptureSetup/CapturePrivileges
63 11 osmith
* "Wireshark docs: contribute your changes":https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcContribute.html
64 1 osmith
* [[op25:WireSharkPage|Out-of-tree P25 wireshark plugin]]
65 4 osmith
* "Screenshot with GSMTAP capture":https://osmocom.org/attachments/download/2190/gsmtap-wireshark.png
66 1 osmith
* "Package build recipe from AUR":https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=wireshark-git
67 7 laforge
* [[openbsc:ProtocolTracing|ProtocolTracking wiki page of old OpenBSC]]
Add picture from clipboard (Maximum size: 48.8 MB)