WiresharkIntegration » History » Version 4
Version 3 (laforge, 02/19/2016 10:49 PM) → Version 4/11 (laforge, 02/19/2016 10:49 PM)
= Wireshark integration =
[http://www.wireshark.org/ wireshark] is a popular Open Source protocol analyzer. Among many
other protocols, it includes dissectors for the GSM Layer 2 (LAPDm) and 3 (04.08).
There also is a [wiki:GSMTAP] GSMTAP protocol dissector (not in recent wireshark versions, mainline yet submitted as [https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4508 wireshark bug 4508], available in our
git repository in {{{src/wireshark/gsmtap.patch}}}), which allows
real-time capture and
decode of GSM protocol messages encapsulated in a GSMTAP (pseudo-header,
which (which is in turn encapsulated
in UDP and IP).
So if you have a wireshark version with [wiki:GSMTAP] GSMTAP support, you can have real-time realtime decode and
trace of GSM protocol messages.
The OsmocomBB [wiki:layer23] program sends [wiki:GSMTAP] GSMTAP packets to the localhost (127.0.0.1) address
of the loopback interface (lo). Please note that the wireshark program is doing passive capture,
i.e. if nothing is listening on the [wiki:GSMTAP] UDP port (4729), then you will see ICMP port unreachable
messages in addition to the GSMTAP messages. There are two suggested solutions to this:
* Change the IP address to a multicast group like 224.0.0.1 (instead of 127.0.0.1)
* Run some program that simply opens the UDP port and discards its content, e.g. using {{{{nc -u -l -p 4729 > /dev/null}}}
== Screenshot ==
[[Image(gsmtap-wireshark.png, 66%)]]
[http://www.wireshark.org/ wireshark] is a popular Open Source protocol analyzer. Among many
other protocols, it includes dissectors for the GSM Layer 2 (LAPDm) and 3 (04.08).
There also is a [wiki:GSMTAP] GSMTAP protocol dissector (not in recent wireshark versions, mainline yet submitted as [https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4508 wireshark bug 4508], available in our
git repository in {{{src/wireshark/gsmtap.patch}}}), which allows
real-time capture and
decode of GSM protocol messages encapsulated in a GSMTAP (pseudo-header,
which (which is in turn encapsulated
in UDP and IP).
So if you have a wireshark version with [wiki:GSMTAP] GSMTAP support, you can have real-time realtime decode and
trace of GSM protocol messages.
The OsmocomBB [wiki:layer23] program sends [wiki:GSMTAP] GSMTAP packets to the localhost (127.0.0.1) address
of the loopback interface (lo). Please note that the wireshark program is doing passive capture,
i.e. if nothing is listening on the [wiki:GSMTAP] UDP port (4729), then you will see ICMP port unreachable
messages in addition to the GSMTAP messages. There are two suggested solutions to this:
* Change the IP address to a multicast group like 224.0.0.1 (instead of 127.0.0.1)
* Run some program that simply opens the UDP port and discards its content, e.g. using {{{{nc -u -l -p 4729 > /dev/null}}}
== Screenshot ==
[[Image(gsmtap-wireshark.png, 66%)]]
