I think the problem is that the packets are encrypted: > FCS: 0x3624af (incorrect, maybe due to ciphering, calculated 0xb5c834) [...] > .... .... .... ..1. = E bit: encrypted frame
The GPRS-LLC dissector does not hand the payload off to the next dissector when this is the case. I suppose in your other (PCAP) captures the data is not encrypted and/or the checksums are correct. Marc Lebas wrote: > Hello Jeff, > > Enclosed is a small capture file (99 records, 27Kb). > i can provide you with a bigger file if this excerpt does not contain IP > frames. > > Marc > > -----Message d'origine----- > De : [email protected] > [mailto:[email protected]] De la part de Jeff Morriss > Envoyé : vendredi 27 février 2009 15:53 > À : Developer support list for Wireshark > Objet : Re: [Wireshark-dev] decoding depth & capture format > > > > Marc Lebas wrote: >> Hello, >> Maybe its a User question but that could be a dev issue; anyway there >> was no answer to my question on the User's mailing list. >> >> The issue : i got different depth in decoding (GPRS over FR), >> depending on the capture file format : >> With rf5, the analysis is limited to GPRS protocol layers, but never >> decode IP which is the encapsulated protocol. >> With libpcap, it is OK; Wireshark go deeper as it is able to decode >> encapsulated IP frames in GPRS frames. >> Why such a behaviour ? Did i missed something in my config ? >> Here is my config on Linux (but the issue is the same on Windows) : >> - preferences : fr.encap: GPRS Network Service >> - cat k12_protos : "gprs_gb","fr" > > Not having ever looked at a GPRS capture in Wireshark, I don't know. > (Small) sample captures would help. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
