Hi Dragos, Le lun. 16 sept. 2024 à 17:38, Dragos Minuta <dragos.min...@radcom.com> a écrit :
> Hi, > > There is decoding NAS 5GS - NAS message container, if EPS NAS message > container is also present inside NAS 5GS PDU. > Attached pcap. > >From my analysis it looks that NAS message container is taking Security > Header type field from previously decoded EPS NAS message instead of taking > it from NAS 5GS PDU. > I do not know which Wireshark version you are using, but this is not the case with the current development version. Here is the decoding I get: Non-Access-Stratum 5GS (NAS)PDU Security protected NAS 5GS message Extended protocol discriminator: 5G mobility management messages (126) 0000 .... = Spare Half Octet: 0 .... 0001 = Security header type: Integrity protected (1) Message authentication code: 0xe5dd97aa Sequence number: 217 Plain NAS 5GS Message Extended protocol discriminator: 5G mobility management messages (126) 0000 .... = Spare Half Octet: 0 .... 0000 = Security header type: Plain NAS message, not security protected (0) Message type: Registration request (0x41) 5GS registration type .... 0... = Follow-On Request bit (FOR): No follow-on request pending .... .010 = 5GS registration type: mobility registration updating (2) NAS key set identifier 0... .... = Type of security context flag (TSC): Native security context (for KSIAMF) .000 .... = NAS key set identifier: 0 5GS mobile identity Length: 11 1... .... = Spare: 1 .1.. .... = Spare: 1 ..1. .... = Spare: 1 ...1 .... = Spare: 1 .... 0... = Spare: 0 .... .010 = Type of identity: 5G-GUTI (2) Mobile Country Code (MCC): United States (310) Mobile Network Code (MNC): AT&T Mobility (410) AMF Region ID: 255 0001 0000 00.. .... = AMF Set ID: 64 ..01 0100 = AMF Pointer: 20 5G-TMSI: 4154594839 (0xf7a21617) UE security capability Element ID: 0x2e Length: 4 1... .... = 5G-EA0: Supported .1.. .... = 128-5G-EA1: Supported ..1. .... = 128-5G-EA2: Supported ...1 .... = 128-5G-EA3: Supported .... 0... = 5G-EA4: Not supported .... .0.. = 5G-EA5: Not supported .... ..0. = 5G-EA6: Not supported .... ...0 = 5G-EA7: Not supported 0... .... = 5G-IA0: Not supported .1.. .... = 128-5G-IA1: Supported ..1. .... = 128-5G-IA2: Supported ...1 .... = 128-5G-IA3: Supported .... 0... = 5G-IA4: Not supported .... .0.. = 5G-IA5: Not supported .... ..0. = 5G-IA6: Not supported .... ...0 = 5G-IA7: Not supported 1... .... = EEA0: Supported .1.. .... = 128-EEA1: Supported ..1. .... = 128-EEA2: Supported ...1 .... = 128-EEA3: Supported .... 0... = EEA4: Not supported .... .0.. = EEA5: Not supported .... ..0. = EEA6: Not supported .... ...0 = EEA7: Not supported 0... .... = EIA0: Not supported .1.. .... = 128-EIA1: Supported ..1. .... = 128-EIA2: Supported ...1 .... = 128-EIA3: Supported .... 0... = EIA4: Not supported .... .0.. = EIA5: Not supported .... ..0. = EIA6: Not supported .... ...0 = EIA7: Not supported UE status Element ID: 0x2b Length: 1 0... .... = Spare: 0 .0.. .... = Spare: 0 ..0. .... = Spare: 0 ...0 .... = Spare: 0 .... 0... = Spare: 0 .... .0.. = Spare: 0 .... ..1. = N1 mode reg: UE is in 5GMM-REGISTERED state .... ...1 = S1 mode reg: UE is in EMM-REGISTERED state 5GS mobile identity - Additional GUTI Element ID: 0x77 Length: 11 1... .... = Spare: 1 .1.. .... = Spare: 1 ..1. .... = Spare: 1 ...1 .... = Spare: 1 .... 0... = Spare: 0 .... .010 = Type of identity: 5G-GUTI (2) Mobile Country Code (MCC): United States (310) Mobile Network Code (MNC): AT&T Mobility (410) AMF Region ID: 254 0100 0000 01.. .... = AMF Set ID: 257 ..11 1111 = AMF Pointer: 63 5G-TMSI: 3623491202 (0xd7fa1682) EPS NAS message container Element ID: 0x70 Length: 21 Non-Access-Stratum (NAS)PDU 0001 .... = Security header type: Integrity protected (1) .... 0111 = Protocol discriminator: EPS mobility management messages (0x7) Message authentication code: 0x4273820a Sequence number: 5 0000 .... = Security header type: Plain NAS message, not security protected (0) .... 0111 = Protocol discriminator: EPS mobility management messages (0x7) NAS EPS Mobility Management Message Type: Tracking area update request (0x48) 1... .... = Type of security context flag (TSC): Mapped security context (for KSIsgsn or KSIamf) .000 .... = NAS key set identifier: (0) ASME .... 0... = Active flag: No bearer establishment requested .... .000 = EPS update type value: TA updating (0) EPS mobile identity - Old GUTI Length: 11 .... 0... = Odd/even indication: Even number of identity digits .... .110 = Type of identity: GUTI (6) Mobile Country Code (MCC): United States (310) Mobile Network Code (MNC): AT&T Mobility (410) MME Group ID: 65296 MME Code: 20 M-TMSI: 4154594839 (0xf7a21617) NAS message container Element ID: 0x71 Length: 106 Non-Access-Stratum 5GS (NAS)PDU Security protected NAS 5GS message Extended protocol discriminator: Unknown (44) 0111 .... = Spare Half Octet: 7 .... 1001 = Security header type: Unknown (9) Message authentication code: 0x21793089 Sequence number: 32 Plain NAS 5GS Message Extended protocol discriminator: Unknown (34) Not a NAS 5GS PD 34 (Unknown) [Expert Info (Error/Protocol): Not a NAS 5GS PD 34 (Unknown)] [Not a NAS 5GS PD 34 (Unknown)] [Severity level: Error] [Group: Protocol] The NAS message container has the following bytes: 2c7921793089202264ec98a98a9a8005bcc40dbf4a19f9b57e7de5982175d3b1cd19535124d39abce39592086601bbce133489bbc89e0d43f87a810873458b898e93b0799411b793705b56a0b349ce2599f0c37a7ad7bd66c1324b943f59aee9ce8b88b9a318849fd63a 2c is not a valid extended protocol discriminator, so I guess you are in a setup where the NAS ciphering algorithm is not set to NULL and thus the NAS message container IE content is ciphered. As Wireshark does not support deciphering, this result is expected. > This change fixed the issue: > > *diff --git a/epan/dissectors/packet-nas_5gs.c > b/epan/dissectors/packet-nas_5gs.c* > *index 2e2a61ae94..7af040b4a0 100644* > *--- a/epan/dissectors/packet-nas_5gs.c* > *+++ b/epan/dissectors/packet-nas_5gs.c* > *@@ -2574,6 +2574,7 @@ de_nas_5gs_mm_eps_nas_msg_cont(tvbuff_t *tvb, > proto_tree *tree, packet_info *pin* > * col_set_fence(pinfo->cinfo, COL_PROTOCOL);* > * call_dissector(nas_eps_handle, tvb_new_subset_length(tvb, > offset, len), pinfo, tree);* > * }* > *+ (pinfo->curr_layer_num)--;* > > * return len;* > * }* > It does not change anything for me, and should not with the current codebase. Best regards, Pascal.
_______________________________________________ Wireshark-dev mailing list -- wireshark-dev@wireshark.org To unsubscribe send an email to wireshark-dev-le...@wireshark.org