Wireshark » History » Version 17
osmith, 03/20/2023 10:39 AM
add section: Binary packages with Osmocom patches
| 1 | 1 | osmith | h1. Wireshark |
|---|---|---|---|
| 2 | |||
| 3 | "wireshark":http://www.wireshark.org/ is a popular Free Software / Open Source protocol analyzer. Among many other protocols, it includes dissectors for the GSM Layer 2 (TS 04.06 / LAPDm) and 3 (TS 04.8 04.08 / RR,MM,CC). |
||
| 4 | |||
| 5 | 2 | osmith | There also is a [[baseband:GSMTAP]] protocol dissector in recent wireshark versions, which allows real-time capture and decode of GSM protocol messages encapsulated in a GSMTAP (pseudo-header, which is in turn encapsulated in UDP and IP). |
| 6 | 1 | osmith | |
| 7 | 17 | osmith | h2. Binary packages with Osmocom patches |
| 8 | |||
| 9 | Osmocom specific patches are being developed in branches in our "gitea":https://gitea.osmocom.org/osmocom/wireshark before being sent upstream. We build a nightly version of wireshark based on wireshark's current upstream master branch with our patches on top ("list of branches":https://gitea.osmocom.org/osmocom/osmo-ci/src/branch/master/scripts/obs/update_obs_wireshark.sh, "OBS":https://obs.osmocom.org/project/show/osmocom:wireshark). As of writing the binary packages are available for Debian and Ubuntu. Refer to the [[Latest Builds]] instructions for adding the osmocom:wireshark repository that has the package (replace osmocom:latest with osmocom:wireshark). |
||
| 10 | |||
| 11 | 1 | osmith | h2. Building from source |
| 12 | |||
| 13 | In order to be able to dissect all protocols relevant for Osmocom, you will need to install the *git version* of wireshark (as of writing, the latest stable is 2.6 and it does not yet have "support for GSUP":https://osmocom.org/issues/1949 for example). See #2537 for an effort to ship Debian binary packages with Osmocom patches applied. |
||
| 14 | |||
| 15 | h3. Dependencies |
||
| 16 | |||
| 17 | | Distribution | Necessary packages | |
||
| 18 | | Fedora 28 | @development-tools cmake c-ares-devel glib2-devel libcap-devel libpcap-devel lua libmaxminddb-devel qt5-qtmultimedia-devel qt5-qttools-devel qt5-qtsvg-devel gnutls-devel libssh-devel libgcrypt-devel flex byacc| |
||
| 19 | 9 | osmith | | Debian | (run @sudo apt-get build-dep wireshark@ to install them automatically)| |
| 20 | 1 | osmith | |
| 21 | h3. Building and installing |
||
| 22 | |||
| 23 | <pre> |
||
| 24 | $ git clone --depth=1 "https://code.wireshark.org/review/wireshark.git" |
||
| 25 | $ cd wireshark |
||
| 26 | 10 | osmith | $ mkdir -p cmake-build-dir |
| 27 | $ cd cmake-build-dir |
||
| 28 | 1 | osmith | $ cmake .. -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local |
| 29 | $ make |
||
| 30 | $ sudo make install |
||
| 31 | 12 | osmith | $ sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/local/bin/dumpcap |
| 32 | 1 | osmith | $ sudo ldconfig |
| 33 | </pre> |
||
| 34 | |||
| 35 | 6 | osmith | h2. Configuration |
| 36 | |||
| 37 | There are various preferences that need to be set for optimal decoding of the protocols we're interested in: |
||
| 38 | |||
| 39 | <pre> |
||
| 40 | gsm_abis_oml.oml_dialect: ip.access |
||
| 41 | amr.dynamic.payload.type: 126 |
||
| 42 | fr.encap: GPRS Network Service |
||
| 43 | iuup.dynamic.payload.type: 103 |
||
| 44 | lapd.use_gsm_sapi_values: TRUE |
||
| 45 | gsm_abis_rsl.use_ipaccess_rsl: TRUE |
||
| 46 | sccp.default_payload: bssap |
||
| 47 | 15 | pespin | gprs-ns.udp.port: 2157,19999,23020,23000 |
| 48 | 6 | osmith | </pre> |
| 49 | |||
| 50 | 16 | osmith | One way to apply these settings, is closing wireshark and copying them at the end of @~/.config/wireshark/preferences@. |
| 51 | |||
| 52 | 8 | osmith | h3. Common display filters |
| 53 | |||
| 54 | <pre> |
||
| 55 | gsm_abis_oml || gsm_abis_rsl || bssap || mgcp || gsup || rtp || rtcp |
||
| 56 | ipaccess || sccp || sctp |
||
| 57 | gprs_ns || gtp |
||
| 58 | gsmtap || gsmtap_log |
||
| 59 | 14 | Hoernchen | gsm_ipa |
| 60 | 8 | osmith | </pre> |
| 61 | |||
| 62 | 5 | osmith | h2. Workaround for "ICMP port unreachable" messages |
| 63 | 3 | osmith | |
| 64 | The [[baseband:OsmocomBB]] [[baseband:layer23]] program sends [[baseband:GSMTAP]] packets to the localhost (127.0.0.1) address of the loopback interface (lo). Please note that the wireshark program is doing passive capture, i.e. if nothing is listening on the GSMTAP UDP port (4729), then you will see ICMP port unreachable messages in addition to the GSMTAP messages. There are two suggested solutions to this: |
||
| 65 | * Change the IP address to a multicast group like 224.0.0.1 (instead of 127.0.0.1) |
||
| 66 | * Run some program that simply opens the UDP port and discards its content, e.g. using @nc -u -l -p 4729 > /dev/null@ |
||
| 67 | 1 | osmith | |
| 68 | 5 | osmith | h2. See also |
| 69 | 1 | osmith | |
| 70 | 13 | osmith | * "Wireshark wiki: capture privileges":https://wiki.wireshark.org/CaptureSetup/CapturePrivileges |
| 71 | 11 | osmith | * "Wireshark docs: contribute your changes":https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcContribute.html |
| 72 | 1 | osmith | * [[op25:WireSharkPage|Out-of-tree P25 wireshark plugin]] |
| 73 | 4 | osmith | * "Screenshot with GSMTAP capture":https://osmocom.org/attachments/download/2190/gsmtap-wireshark.png |
| 74 | 1 | osmith | * "Package build recipe from AUR":https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=wireshark-git |
| 75 | 7 | laforge | * [[openbsc:ProtocolTracing|ProtocolTracking wiki page of old OpenBSC]] |
