First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

GSM DTAP malformed packet

  • retag add tags

Hello everyone.

I've got a packet that is technical a call setup from a PRI plugged into a Cisco AS5400. This message is passed via IUA to a server.

Wireshark sees this as "Stream Control Transmission Protocol" > ISDN Q.921-User Adaptation Layer > Radio Signalling Link (RSL) > GSM A-I/F DTAP.

Wireshark complains that this is a malformed GSM DTAP message. And doesn't seem to display any of the raw ISDN message as it comes off the PRI (I'm looking for stuff like called number, source number..etc). I know it's in this particular packet, Because it can be seen in the lower raw section.

I'm not really sure what the message should be. But I don't think it's RSL. Disabling RSL and GSM DTAP just leave the data undecoded.

Screenshot

http://cdn.141networks.com/images/mal...

image description

nick@141networks.com's avatar
3
[email protected]
asked 2020-04-24 14:50:16 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Have you played around with the various dissection preferences of the protocols?

Jaap's avatar Jaap (2020-04-24 18:25:34 +0000) edit
more
  • delete

Yes, Took a few settings to even get it this far. Specifically the RUDP port and some MTP3 stuff. However, I've not been able to find GSM A-I/F DTAP in the protocols portion of preferences. If I right click on the field in the capture. I get the option to "disable GSM DTAP". Which seems to mean I should find it in the protocol list. But I've not found it. Closest thing is GSMTAP. And none of the settings there make any difference.

nick@141networks.com's avatar [email protected] (2020-04-24 19:11:15 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Look at the IUA preferences, you probably want to uncheck Use GSM SAPI values

Anders's avatar
5k
Anders
answered 2020-04-25 13:25:38 +0000, updated 2020-04-27 07:50:07 +0000
edit flag offensive 0 remove flag delete link
more

Comments

That was it. Thanks so much!

nick@141networks.com's avatar [email protected] (2020-04-27 14:34:07 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer