TCAP is a user of SCCP or SUA. As such a TCAP packet includes a SUA or
SCCP packet.
If Wireshark doesnt show it as TCAP it might be the fact that the
packet is invalid and thus the SUA payload is not considered as TCAP
packet. The reasons for this can be many. One obvious one would be
that the TCAP preferences are looking for ITU-TCAP not the US
proprietary ANSI version of TCAP. I believe this is somewhere hidden
in the settings.
The second reason would be simply the packet being screwed up..
On 13.12.2007, at 11:58, Marc Grün wrote:
Ethereal (Version 0.10.13) was already installed in the computer I'm
using, and I know well it is obsolete. I'm using Wireshark Version
0.99.6 (SVN Rev 22249).
I added the out files for Ethereal and Wireshark concerning that
packet. Ethereal is the only one to label it malformed, it goes fine
with Wireshark.
I would not bother anyway, but what bugs me in fact is that TCAP is
a Layer-7 (Application) protocol, whereas (I might be wrong, but
well) SUA seems to belong to an inferior layer : how can they
qualify both the very same packet ?
Which layers does in fact this SUA implement ?
Guy Harris <[EMAIL PROTECTED]> a écrit :
Marc Grün wrote:
> I'm doing communication between two machines using the SCCP User
> Adaptation (SUA) protocol. Using both Ethereal and Wireshark to
capture
> the corresponding packets, I realized that Ethereal shows the
> connectionless datagram ones as "TCAP CLDT" (and they are said to be
> malformed...) whereas Wireshark shows the same as "SUA (RFC 3868)
CLDT".
>
> Where does this divergence come from ?
Probably from a change in one of the dissectors between the two
versions
of the software; the difference between "Ethereal" and "Wireshark" is
that "Ethereal" is the name the software had up to version 0.99.0 and
"Wireshark" is the name it had starting with version 0.99.2 (I don't
remember what happend to 0.99.1). See
http://www.wireshark.org/faq.html#q1.2
for why the name changed.
What are the version numbers of the two releases you're using? And do
you have a small capture file that demonstrates this (if you can just
extract one packet from the capture and read that into the two
versions
and see the behavior, that would be ideal)?
Also, are the packets said to be malformed in the newer version? If
so,
it might be that the older version wasn't correctly dissecting them.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers
Yahoo! Mail
<
wireshark
.out><ethereal.out>_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
