First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Text2pcap ISDN Q931 HEX

Hi,

I have a Q931 hex capture. Something like :

000000 08 02 ae 15 02 18 03 a9 83 96
000000 08 02 ae 15 01
000000 08 02 2e 15 45 08 02 80 90
000000 08 02 ae 15 4d
000000 08 02 2e 15 5a

I dont know how to use text2pcap in order to make a pcap with only this.

I saw this old post https://osqa-ask.wireshark.org/questi...

If i add dummy LDAP header like :

000000 02 01 ba a6
000004 08 02 ae 15 02 18 03 a9 83 96
000000 02 01 ba a6
000004 08 02 ae 15 01
000000 02 01 ba a6
000004 08 02 2e 15 45 08 02 80 90
000000 02 01 ba a6
000004 08 02 ae 15 4d
000000 02 01 ba a6
000004 08 02 2e 15 5a

and i use 

text2pcap -l 203 file.txt file.pcap

it's OK

But I would like to get it with out the fake LDAP layer.

Regards

Gates

Gates's avatar
3
Gates
asked 2024-02-20 16:11:15 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

1

The advice in the Wiki about "How to Dissect Anything" is your best bet here.

There is no link-layer type used in pcap or pcapng for Q931 by itself. However, you can use one of the private use USER link types from 147 to 162.

text2pcap -E user3 q931.txt q931.pcapng

(or text2pcap -l 150 q931.txt q931.pcapng)

You can then tell your personal version of Wireshark to dissect that particular User DLT as you wish, by using the user DLT. In your case, you would then configure DLT 150 to use the q931 dissector.

The disadvantage, as this is a private use data link type, is that if you share the file with someone else, they will also have to configure Wireshark similarly to read it, unlike using the LDAP link layer type.

_edit_: Another option is to use the WIRESHARK_UPPER_PDU link layer type, with text2pcap -E wireshark-upper-pdu -P q931 q931.txt q931.pcapng or text2pcap -l 252 -P q931 q931.txt q931.pcapng

(If you enter text2pcap -E with nothing else, it will list all possible encapsulations and their descriptions.)

text2pcap -P <dissector> is supposed to automatically set the link layer type to WIRESHARK_UPPER_PDU, but it seems like that's currently broken.

The WIRESHARK_UPPER_PDU type adds some metadata that tells Wireshark what dissector to run to process the following data. It makes a slightly larger file, but has the advantage that anyone else opening the file in Wireshark or tshark can make it work. Non-Wireshark programs that read pcaps still probably can't deal with it, but they can perhaps see the metadata.

johnthacker's avatar
156
johnthacker
answered 2024-02-20 22:09:25 +0000, updated 2024-02-21 03:57:05 +0000
edit flag offensive 0 remove flag delete link
more

Comments

It can also be done from the command line using -o <preference/recent setting>.
(Wireshark man page)

-o "uat:user_dlts:\"User 0 (DLT=147)\",\"cops\",\"0\",\"\",\"0\",\"\""
Chuckc's avatar Chuckc (2024-02-20 22:31:01 +0000) edit
more
  • delete

Perhaps text2pcap should add support for LINKTYPE_WIRESHARK_UPPER_PDU.

Guy Harris's avatar Guy Harris (2024-02-21 02:17:08 +0000) edit
more
  • delete

Good point, that is an option, ever since 4.0.

johnthacker's avatar johnthacker (2024-02-21 03:52:10 +0000) edit
more
  • delete

text2pcap -P <dissector> is supposed to automatically set the link layer type to WIRESHARK_UPPER_PDU, but it seems like that's currently broken.

Your merge request fixed that. I've backported it to the 4.2 and 4.0 branches, so the next 4.0.x and 4.2.x releases should allow this. (3.6.x doesn't support -P.)

Guy Harris's avatar Guy Harris (2024-02-21 05:31:25 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer