OpCode 45 exists in TCAP layer for Wireshark Version 3.2.7 but does not in Wireshark Version 4.0.5

Opcode
in
TCAP
for
SRIforSM
retag add tags

I've decoded SRIforSM(Version 1) in Wireshark Version 3.2.7 and found the OpCode=45 exists in TCAP layer however it does not exist in TCAP for Wireshark Version 4.0.5 . Which version of Wireshark is the correct one, is there a bug in 3.2.7? Thank you for your help

RachidM

asked 2023-09-04 15:05:37 +0000, updated 2023-09-06 13:02:54 +0000

edit flag offensive 0 remove flag close merge delete

Comments

Share a "pcap or it didn't;t happen".

Jaap (2023-09-06 06:58:09 +0000) edit

Can not attach neither files nor iamge.I got the following message: " ask.wireshark.org says

60 points required to upload files "

RachidM (2023-09-06 11:42:35 +0000) edit

I managed to copy the trace on text file: SRIforSM decoded with Wireshark 4.0.5:

       Calling Party address (11 bytes)
        Address Indicator
            0... .... = Reserved for national use: 0x0
            .0.. .... = Routing Indicator: Route on GT (0x0)
            ..01 00.. = Global Title Indicator: Translation Type, Numbering Plan, Encoding Scheme, and Nature of Address Indicator included (0x4)
            .... ..1. = SubSystem Number Indicator: SSN present (0x1)
            .... ...0 = Point Code Indicator: Point Code not present (0x0)
        SubSystem Number: MSC (Mobile Switching Center) (8)
        [Linked to TCAP, TCAP SSN linked to GSM_MAP]
        Global Title 0x4 (9 bytes)
            Translation Type: 0x00 (0)
            0001 .... = Numbering Plan: ISDN/telephony (0x1)
            .... 0001 = Encoding Scheme: BCD, odd number of digits (0x1)
            .000 0100 = Nature of Address Indicator: International number (0x04)
            Calling Party Digits: 29170000020
                Called or Calling GT Digits: 29170000020
                Number of Calling Party Digits: 11
                Country Code: Eritrea (291)
    Data length: 41
Transaction Capabilities Application Part
    begin
        [Transaction Id: 3a0008ee]
        Source ...

(more)

RachidM (2023-09-06 12:31:32 +0000) edit

Under Wireshark 3.2.7:

Transaction Capabilities Application Part
    begin
        [Transaction Id: 3a0008ee]
        Source Transaction ID
            otid: 3a0008ee
        components: 1 item
            Component: invoke (1)
                invokeID
                    invokeID: 0
                  opCode: localValue (0)
                      localValue: 45
                  CONSTRACTOR
GSM Mobile Application
    Component: invoke (1)
        invoke
            invokeID: 0
            opCode: localValue (0)
                localValue: sendRoutingInfoForSM (45)
            msisdn: 915376394094f2

RachidM (2023-09-06 12:44:12 +0000) edit

Can you please share the hex dump picture or cut paste into here is fine? I can point out the hex string to recognize the value.

Si (2024-04-03 19:44:15 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

As can be seen from your text dump, the field has moved from the TCAP layer into the GSM Mobile Application layer.

If you open the capture in Wireshark 4.0.8 (the current stable release) and click on the field, the status bar should show the filter name for the field in parenthesis.

23.8k

grahamb

answered 2023-09-06 14:10:38 +0000

edit flag offensive 0 remove flag delete link

Comments

I have installed 4.0.8 , below is the output i got

    Calling Party address (11 bytes)
        Address Indicator
            0... .... = Reserved for national use: 0x0
            .0.. .... = Routing Indicator: Route on GT (0x0)
            ..01 00.. = Global Title Indicator: Translation Type, Numbering Plan, Encoding Scheme, and Nature of Address Indicator included (0x4)
            .... ..1. = SubSystem Number Indicator: SSN present (0x1)
            .... ...0 = Point Code Indicator: Point Code not present (0x0)
        SubSystem Number: MSC (Mobile Switching Center) (8)
        [Linked to TCAP, TCAP SSN linked to GSM_MAP]
        Global Title 0x4 (9 bytes)
Transaction Capabilities Application Part
    begin
        [Transaction Id: 3a0008ee]
        Source Transaction ID
            otid: 3a0008ee
        components: 1 item
GSM Mobile Application
    Component: invoke (1)
        invoke
            invokeID: 0
            opCode: localValue (0)
                localValue: sendRoutingInfoForSM (45)
            msisdn: 915376394094f2
            sm-RP-PRI: True
            serviceCentreAddress: 919271000020f0

Same behavior as 4.0.5; no opcode shown in TCAP

RachidM (2023-09-06 17:27:29 +0000) edit

no opcode shown in TCAP

Yes, that's what @grahamb meant by "the field has moved from the TCAP layer into the GSM Mobile Application layer." - in Wireshark 4.x, there will not be an opcode shown in the TCAP part, it will be shown in the GSM Mobile Application part, and it is shown there, in both 4.0.5 (a 4.x release) and 4.0.8 (a 4.x release).

Guy Harris (2023-09-06 19:32:18 +0000) edit

Understood now thank you both.

So the correct decoding is using Wireshark 4.x, Wireshark 3.2.7 is not the correct one to use for decoding as it shows the opcode in both TCAP and MAP , is my understanding correct ?

RachidM (2023-09-06 20:08:52 +0000) edit

3.2.7 is old (out of support Nov 2022) and the dissection was improved sometime between that version and now. Unfortunately that sometimes means moving fields around to be in a "better" place.

grahamb (2023-09-07 07:37:09 +0000) edit

Thank you so much Grahamb Much appreciated

RachidM (2023-09-07 11:38:34 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

OpCode 45 exists in TCAP layer for Wireshark Version 3.2.7 but does not in Wireshark Version 4.0.5 edit

Comments

1 Answer

Comments