How can I get Wireshark to decode ISO SES/PRES/ACSE on top of UDP?

retag add tags

I'm trying to debug an issue on Philips MX40 wireless patient monitors over a Cisco CAPWAP WLAN infrastructure. I have a capture from the AP wired port and Wireshark opens up CAPWAP ok to show the MX40 to PiC traffic. According to Philips doc, the protocol is ACSE ISO 8650 on top of UDP port 24008. I want to decode that UDP port as SES but Wireshark does not give me that protocol option in the "Decode As" window drop down box. Can anyone suggest how to do it?

Hi, It seams like it's only dissected over cotp

    heur_dissector_add("cotp", dissect_ses_heur, "SES over COTP", "ses_cotp", proto_ses, HEURISTIC_ENABLE);
heur_dissector_add("cotp_is", dissect_ses_heur, "SES over COTP (inactive subset)", "ses_cotp_is", proto_ses, HEURISTIC_ENABLE);

You could open up a bug report requesting an enhancement to dissect SES over UDP but you'll ned to attach a trace to the bug in order for someone to test a solution.

Anders

answered 2020-07-16 06:49:35 +0000

edit flag offensive 0 remove flag delete link

Comments

Enhancement requests are raised at the Wireshark Bugzilla. The SES dissector could also be enhanced to support "Decode As..." as long as it doesn't need anything from the protocol it's being carried over.

grahamb (2020-07-16 08:41:19 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

How can I get Wireshark to decode ISO SES/PRES/ACSE on top of UDP? edit

Comments

1 Answer

Comments