First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Redefining a proprietary PFCP IE

Hi All,

Proprietary PFCP IE Type 245 is decoded (by the current stable WS build) as some Packet Delay Thresholds, I suppose 'cos some vendor was the first one to have shared their own PFCP IE specs with WS Eng. I need to redefine that IE in my WS (and likely several other IEs later) using a different vendor's spec, which I already have for that IE. Assuming it's doable with Lua as mentioned here by @ranjeetsih is there perhaps a complete sample Lua PFCP dissector that I could tweak to my liking w/o having to code anything from scratch? The @ranjeetsih's one seems to be incomplete (e.g. missing the actual dissecting code), so I'm getting an error when trying to plug it into my WS. Dissecting performance is not a concern - just need a 100% correct (as per my vendor spec) offline PFCP dissection at this point. Here's a pcap trace with the IE in question.

Many thanks in advance!

dandreye's avatar
23
dandreye
asked 2023-11-10 16:09:45 +0000, updated 2023-11-10 16:44:32 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

"Routines for Packet Forwarding Control Protocol (PFCP)" dissection (epan/dissectors/packet-pfcp.c) is implemented using the spec Ref 3GPP TS 29.244 V18.3.0 (2023-09-20).

packet-pfcp.c:

    { 245, "Packet Delay Thresholds"},         /* Extendable / Clause 8.2.169 */

Which come from the spec. Here is ETSI TS 129 244 V17.9.0 (2023-07) which shows the field on page 337:

image description

It's on the vendors to use the proper range:

IE type values within the range of 32768 to 65535 are used for vendor-specific IE and the value allocation is controlled by the vendor.

Which you could then add with a lua script.

image description

Chuckc's avatar
3k
Chuckc
answered 2023-11-10 16:58:40 +0000, updated 2023-11-10 17:06:55 +0000
edit flag offensive 0 remove flag delete link
more

Comments

@Chuckc: thank you. Can it still be redefined w/o any C/C++ coding then?

dandreye's avatar dandreye (2023-11-10 17:16:14 +0000) edit
more
  • delete

I wonder if their code is writing the field in wrong endianness?

00 f5 = 245
f5 00 = 62720 (which is in the vendor range)

Chuckc's avatar Chuckc (2023-11-10 17:19:06 +0000) edit
more
  • delete

Well spotted - thank you: I'll double check with the vendor. Meanwhile a complete sample lua PFCP dissector would still really help (the one that works right away once placed at the path it belongs), if not with this particular IE then with those from the vendor specific range.

dandreye's avatar dandreye (2023-11-10 17:26:52 +0000) edit
more
  • delete

There is an example capture (actually hexdump) attached to 17523: PFCP: Wrong Enterprise IE generic decoding offsets.
As time permits I'll work on a Lua example to extend the code in Add vsa defination for pfcp packet without compiling wireshark?

Chuckc's avatar Chuckc (2023-11-10 17:30:45 +0000) edit
more
  • delete

Thank you so much!

dandreye's avatar dandreye (2023-11-10 17:33:54 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer