Hi Dragos,

Le lun. 16 sept. 2024 à 17:38, Dragos Minuta <dragos.min...@radcom.com> a
écrit :

> Hi,
>
> There is decoding NAS 5GS - NAS message container, if EPS NAS message
> container is also present inside NAS 5GS  PDU.
> Attached pcap.
> >From my analysis it looks that NAS message container is taking Security
> Header type field from previously decoded EPS NAS message instead of taking
> it from NAS 5GS PDU.
>

I do not know which Wireshark version you are using, but this is not the
case with the current development version. Here is the decoding I get:

Non-Access-Stratum 5GS (NAS)PDU
    Security protected NAS 5GS message
        Extended protocol discriminator: 5G mobility management messages
(126)
        0000 .... = Spare Half Octet: 0
        .... 0001 = Security header type: Integrity protected (1)
        Message authentication code: 0xe5dd97aa
        Sequence number: 217
    Plain NAS 5GS Message
        Extended protocol discriminator: 5G mobility management messages
(126)
        0000 .... = Spare Half Octet: 0
        .... 0000 = Security header type: Plain NAS message, not security
protected (0)
        Message type: Registration request (0x41)
        5GS registration type
            .... 0... = Follow-On Request bit (FOR): No follow-on request
pending
            .... .010 = 5GS registration type: mobility registration
updating (2)
        NAS key set identifier
            0... .... = Type of security context flag (TSC): Native
security context (for KSIAMF)
            .000 .... = NAS key set identifier: 0
        5GS mobile identity
            Length: 11
            1... .... = Spare: 1
            .1.. .... = Spare: 1
            ..1. .... = Spare: 1
            ...1 .... = Spare: 1
            .... 0... = Spare: 0
            .... .010 = Type of identity: 5G-GUTI (2)
            Mobile Country Code (MCC): United States (310)
            Mobile Network Code (MNC): AT&T Mobility (410)
            AMF Region ID: 255
            0001 0000 00.. .... = AMF Set ID: 64
            ..01 0100 = AMF Pointer: 20
            5G-TMSI: 4154594839 (0xf7a21617)
        UE security capability
            Element ID: 0x2e
            Length: 4
            1... .... = 5G-EA0: Supported
            .1.. .... = 128-5G-EA1: Supported
            ..1. .... = 128-5G-EA2: Supported
            ...1 .... = 128-5G-EA3: Supported
            .... 0... = 5G-EA4: Not supported
            .... .0.. = 5G-EA5: Not supported
            .... ..0. = 5G-EA6: Not supported
            .... ...0 = 5G-EA7: Not supported
            0... .... = 5G-IA0: Not supported
            .1.. .... = 128-5G-IA1: Supported
            ..1. .... = 128-5G-IA2: Supported
            ...1 .... = 128-5G-IA3: Supported
            .... 0... = 5G-IA4: Not supported
            .... .0.. = 5G-IA5: Not supported
            .... ..0. = 5G-IA6: Not supported
            .... ...0 = 5G-IA7: Not supported
            1... .... = EEA0: Supported
            .1.. .... = 128-EEA1: Supported
            ..1. .... = 128-EEA2: Supported
            ...1 .... = 128-EEA3: Supported
            .... 0... = EEA4: Not supported
            .... .0.. = EEA5: Not supported
            .... ..0. = EEA6: Not supported
            .... ...0 = EEA7: Not supported
            0... .... = EIA0: Not supported
            .1.. .... = 128-EIA1: Supported
            ..1. .... = 128-EIA2: Supported
            ...1 .... = 128-EIA3: Supported
            .... 0... = EIA4: Not supported
            .... .0.. = EIA5: Not supported
            .... ..0. = EIA6: Not supported
            .... ...0 = EIA7: Not supported
        UE status
            Element ID: 0x2b
            Length: 1
            0... .... = Spare: 0
            .0.. .... = Spare: 0
            ..0. .... = Spare: 0
            ...0 .... = Spare: 0
            .... 0... = Spare: 0
            .... .0.. = Spare: 0
            .... ..1. = N1 mode reg: UE is in 5GMM-REGISTERED state
            .... ...1 = S1 mode reg: UE is in EMM-REGISTERED state
        5GS mobile identity -  Additional GUTI
            Element ID: 0x77
            Length: 11
            1... .... = Spare: 1
            .1.. .... = Spare: 1
            ..1. .... = Spare: 1
            ...1 .... = Spare: 1
            .... 0... = Spare: 0
            .... .010 = Type of identity: 5G-GUTI (2)
            Mobile Country Code (MCC): United States (310)
            Mobile Network Code (MNC): AT&T Mobility (410)
            AMF Region ID: 254
            0100 0000 01.. .... = AMF Set ID: 257
            ..11 1111 = AMF Pointer: 63
            5G-TMSI: 3623491202 (0xd7fa1682)
        EPS NAS message container
            Element ID: 0x70
            Length: 21
            Non-Access-Stratum (NAS)PDU
                0001 .... = Security header type: Integrity protected (1)
                .... 0111 = Protocol discriminator: EPS mobility management
messages (0x7)
                Message authentication code: 0x4273820a
                Sequence number: 5
                0000 .... = Security header type: Plain NAS message, not
security protected (0)
                .... 0111 = Protocol discriminator: EPS mobility management
messages (0x7)
                NAS EPS Mobility Management Message Type: Tracking area
update request (0x48)
                1... .... = Type of security context flag (TSC): Mapped
security context (for KSIsgsn or KSIamf)
                .000 .... = NAS key set identifier:  (0) ASME
                .... 0... = Active flag: No bearer establishment requested
                .... .000 = EPS update type value: TA updating (0)
                EPS mobile identity - Old GUTI
                    Length: 11
                    .... 0... = Odd/even indication: Even number of
identity digits
                    .... .110 = Type of identity: GUTI (6)
                    Mobile Country Code (MCC): United States (310)
                    Mobile Network Code (MNC): AT&T Mobility (410)
                    MME Group ID: 65296
                    MME Code: 20
                    M-TMSI: 4154594839 (0xf7a21617)
        NAS message container
            Element ID: 0x71
            Length: 106
            Non-Access-Stratum 5GS (NAS)PDU
                Security protected NAS 5GS message
                    Extended protocol discriminator: Unknown (44)
                    0111 .... = Spare Half Octet: 7
                    .... 1001 = Security header type: Unknown (9)
                    Message authentication code: 0x21793089
                    Sequence number: 32
                Plain NAS 5GS Message
                    Extended protocol discriminator: Unknown (34)
                    Not a NAS 5GS PD 34 (Unknown)
                        [Expert Info (Error/Protocol): Not a NAS 5GS PD 34
(Unknown)]
                            [Not a NAS 5GS PD 34 (Unknown)]
                            [Severity level: Error]
                            [Group: Protocol]

The NAS message container has the following
bytes: 
2c7921793089202264ec98a98a9a8005bcc40dbf4a19f9b57e7de5982175d3b1cd19535124d39abce39592086601bbce133489bbc89e0d43f87a810873458b898e93b0799411b793705b56a0b349ce2599f0c37a7ad7bd66c1324b943f59aee9ce8b88b9a318849fd63a
2c is not a valid extended protocol discriminator, so I guess you are in a
setup where the NAS ciphering algorithm is not set to NULL and thus the NAS
message container IE content is ciphered. As Wireshark does not support
deciphering, this result is expected.


> This change fixed the issue:
>
> *diff --git a/epan/dissectors/packet-nas_5gs.c
> b/epan/dissectors/packet-nas_5gs.c*
> *index 2e2a61ae94..7af040b4a0 100644*
> *--- a/epan/dissectors/packet-nas_5gs.c*
> *+++ b/epan/dissectors/packet-nas_5gs.c*
> *@@ -2574,6 +2574,7 @@ de_nas_5gs_mm_eps_nas_msg_cont(tvbuff_t *tvb,
> proto_tree *tree, packet_info *pin*
> *         col_set_fence(pinfo->cinfo, COL_PROTOCOL);*
> *         call_dissector(nas_eps_handle, tvb_new_subset_length(tvb,
> offset, len), pinfo, tree);*
> *     }*
> *+    (pinfo->curr_layer_num)--;*
>
> *     return len;*
> * }*
>

It does not change anything for me, and should not with the current
codebase.

Best regards,
Pascal.
_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@wireshark.org
To unsubscribe send an email to wireshark-dev-le...@wireshark.org

Reply via email to