First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Finding MAC error in decoding wireshark capture

Hi,

Need info on how to decode packets with PDCP header info. Following error is seen -

[Expert Info (Error/Sequence) MAC-I Digest wrong calculated 00000000 but found 5b5be0f5] Severity level : Error Group : Sequence

Any patch needed in wireshark to decode such packets. This issue is seen during 5g attach call flow log, in Security Mode Command message.

regards, Poornima

Unable to add wireshark log since it is looking for more points, I can mail it to anyone. kindly share your mail id.

Thanks, Poornima

praghave's avatar
1
praghave
asked 2023-03-15 11:11:01 +0000, updated 2023-03-16 04:45:43 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Please update the question with the output of wireshark -v or Help->About Wireshark:Wireshark.
Can you share a capture file? If so, stick it on a public file share and update the question with a link to it.

Chuckc's avatar Chuckc (2023-03-15 12:23:12 +0000) edit
more
  • delete

Thanks for your kind reply, unable to upload wireshark capture but can mail you. kindly share mail id or can mail me at - [email protected] https://drive.google.com/file/d/1vLwY... pcap file is uploaded in following location.

praghave's avatar praghave (2023-03-16 04:46:49 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

There are mentions in a couple places that zuc is not supported/enabled.
Either add a comment to 16384: rrc container not decoded in F1AP asking for clarification or open a new Gitlab issue attaching the capture file and linking back to this question. If you open a new issue maybe it can be to make the expert info message clearer w.r.t zuc.

16384: rrc container not decoded in F1AP includes the comment:

Note that in the pcap attached ZUC ciphering is activated, so all messages after the RRC Security Mode Complete do not decode properly.

packet-pdcp-nr.c:

    { nia3,         "NIA3 (ZUC)" },
...
    { nea3,         "NEA3 (ZUC)" },

Frame 2429 of your capture has:

securityAlgorithmConfig
    cipheringAlgorithm: nea1 (1)
    integrityProtAlgorithm: nia3 (3)

1716: PDCP-NR: Add ZUC Cipher/integrity calls.

As with Snow3G, we can't distribute Wireshark with NIA3/NEA3 implementations linked in, but provide f8/f9 calls that may be enabled in private builds.

Chuckc's avatar
3k
Chuckc
answered 2023-03-16 19:15:50 +0000, updated 2023-03-16 19:18:24 +0000
edit flag offensive 0 remove flag delete link
more

Comments

As Chuck says, we should do better to explain why integrity isn't checked in this case. Also note that even with Zuc or Snow3G support in your build, you still need the derived keys in order to decrypt and check integrity.

MartinM's avatar MartinM (2023-03-16 22:06:15 +0000) edit
more
  • delete

Thanks for your comments. Raised request in gitlab - bug number 18914

praghave's avatar praghave (2023-03-17 06:02:41 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer