Project

General

Profile

Wireshark » History » Revision 13

Revision 12 (osmith, 01/09/2019 09:32 AM) → Revision 13/17 (osmith, 01/09/2019 09:34 AM)

h1. Wireshark 

 "wireshark":http://www.wireshark.org/ is a popular Free Software / Open Source protocol analyzer. Among many other protocols, it includes dissectors for the GSM Layer 2 (TS 04.06 / LAPDm) and 3 (TS 04.8 04.08 / RR,MM,CC). 

 There also is a [[baseband:GSMTAP]] protocol dissector in recent wireshark versions, which allows real-time capture and decode of GSM protocol messages encapsulated in a GSMTAP (pseudo-header, which is in turn encapsulated in UDP and IP). 

 h2. Building from source 

 In order to be able to dissect all protocols relevant for Osmocom, you will need to install the *git version* of wireshark (as of writing, the latest stable is 2.6 and it does not yet have "support for GSUP":https://osmocom.org/issues/1949 for example). See #2537 for an effort to ship Debian binary packages with Osmocom patches applied. 

 h3. Dependencies 

 | Distribution | Necessary packages | 
 | Fedora 28 | @development-tools cmake c-ares-devel glib2-devel libcap-devel libpcap-devel lua libmaxminddb-devel qt5-qtmultimedia-devel qt5-qttools-devel qt5-qtsvg-devel gnutls-devel libssh-devel libgcrypt-devel flex byacc| 
 | Debian | (run @sudo apt-get build-dep wireshark@ to install them automatically)| 

 

 h3. Building and installing 

 <pre> 
 $ git clone --depth=1 "https://code.wireshark.org/review/wireshark.git" 
 $ cd wireshark 
 $ mkdir -p cmake-build-dir 
 $ cd cmake-build-dir 
 $ cmake .. -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local 
 $ make 
 $ sudo make install 
 $ sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/local/bin/dumpcap 
 $ sudo ldconfig 
 </pre> 

 

 h2. Configuration 

 There are various preferences that need to be set for optimal decoding of the protocols we're interested in: 

 <pre> 
 gsm_abis_oml.oml_dialect: ip.access 
 amr.dynamic.payload.type: 126 
 fr.encap: GPRS Network Service 
 iuup.dynamic.payload.type: 103 
 lapd.use_gsm_sapi_values: TRUE 
 gsm_abis_rsl.use_ipaccess_rsl: TRUE 
 sccp.default_payload: bssap 
 </pre> 

 h3. Common display filters 

 <pre> 
 gsm_abis_oml || gsm_abis_rsl || bssap || mgcp || gsup || rtp || rtcp 
 ipaccess || sccp || sctp 
 gprs_ns || gtp 
 gsmtap || gsmtap_log 
 </pre> 

 h2. Workaround for "ICMP port unreachable" messages 

 The [[baseband:OsmocomBB]] [[baseband:layer23]] program sends [[baseband:GSMTAP]] packets to the localhost (127.0.0.1) address of the loopback interface (lo).    Please note that the wireshark program is doing passive capture, i.e. if nothing is listening on the GSMTAP UDP port (4729), then you will see ICMP port unreachable messages in addition to the GSMTAP messages.    There are two suggested solutions to this: 
 * Change the IP address to a multicast group like 224.0.0.1 (instead of 127.0.0.1) 
 * Run some program that simply opens the UDP port and discards its content, e.g. using @nc -u -l -p 4729 > /dev/null@ 

 h2. See also 

 * "Wireshark wiki: capture privileges":https://wiki.wireshark.org/CaptureSetup/CapturePrivileges 
 * "Wireshark docs: contribute your changes":https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcContribute.html 
 * [[op25:WireSharkPage|Out-of-tree P25 wireshark plugin]] 
 * "Screenshot with GSMTAP capture":https://osmocom.org/attachments/download/2190/gsmtap-wireshark.png 
 * "Package build recipe from AUR":https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=wireshark-git 
 * [[openbsc:ProtocolTracing|ProtocolTracking wiki page of old OpenBSC]]
Add picture from clipboard (Maximum size: 48.8 MB)