Project

General

Profile

Actions

Wireshark » History » Revision 8

« Previous | Revision 8/17 (diff) | Next »
osmith, 09/10/2018 08:55 AM
add common display filters (the ones neels sent to me)


Wireshark

wireshark is a popular Free Software / Open Source protocol analyzer. Among many other protocols, it includes dissectors for the GSM Layer 2 (TS 04.06 / LAPDm) and 3 (TS 04.8 04.08 / RR,MM,CC).

There also is a GSMTAP protocol dissector in recent wireshark versions, which allows real-time capture and decode of GSM protocol messages encapsulated in a GSMTAP (pseudo-header, which is in turn encapsulated in UDP and IP).

Building from source

In order to be able to dissect all protocols relevant for Osmocom, you will need to install the git version of wireshark (as of writing, the latest stable is 2.6 and it does not yet have support for GSUP for example). See #2537 for an effort to ship Debian binary packages with Osmocom patches applied.

Dependencies

Distribution Necessary packages
Fedora 28 @development-tools cmake c-ares-devel glib2-devel libcap-devel libpcap-devel lua libmaxminddb-devel qt5-qtmultimedia-devel qt5-qttools-devel qt5-qtsvg-devel gnutls-devel libssh-devel libgcrypt-devel flex byacc

Building and installing

$ git clone --depth=1 "https://code.wireshark.org/review/wireshark.git" 
$ cd wireshark
$ mkdir -p build
$ cd build
$ cmake .. -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local
$ make
$ sudo make install
$ sudo ldconfig

Configuration

There are various preferences that need to be set for optimal decoding of the protocols we're interested in:

gsm_abis_oml.oml_dialect: ip.access
amr.dynamic.payload.type: 126
fr.encap: GPRS Network Service
iuup.dynamic.payload.type: 103
lapd.use_gsm_sapi_values: TRUE
gsm_abis_rsl.use_ipaccess_rsl: TRUE
sccp.default_payload: bssap

Common display filters

gsm_abis_oml || gsm_abis_rsl || bssap || mgcp || gsup || rtp || rtcp
ipaccess || sccp || sctp
gprs_ns || gtp
gsmtap || gsmtap_log

Workaround for "ICMP port unreachable" messages

The OsmocomBB layer23 program sends GSMTAP packets to the localhost (127.0.0.1) address of the loopback interface (lo). Please note that the wireshark program is doing passive capture, i.e. if nothing is listening on the GSMTAP UDP port (4729), then you will see ICMP port unreachable messages in addition to the GSMTAP messages. There are two suggested solutions to this:
  • Change the IP address to a multicast group like 224.0.0.1 (instead of 127.0.0.1)
  • Run some program that simply opens the UDP port and discards its content, e.g. using nc -u -l -p 4729 > /dev/null

See also

Files (0)

Updated by osmith over 5 years ago · 8 revisions

Add picture from clipboard (Maximum size: 48.8 MB)