[Gsmmap] Snopsnitch and Wireshark on 4G

Luca Melette luca at srlabs.de
Mon May 7 12:21:00 CEST 2018


Dear Domi,

Yes, your analysis is correct.
The 0x0e value has been overwritten by something else, and now LTE-NAS is at 0x12.
My packet-gsmtap.h now looks like this:

#define GSMTAP_TYPE_LTE_RRC             0x0d    /* LTE interface */
#define GSMTAP_TYPE_LTE_MAC             0x0e    /* LTE MAC interface */
#define GSMTAP_TYPE_LTE_MAC_FRAMED      0x0f    /* LTE MAC with context hdr */
#define GSMTAP_TYPE_OSMOCORE_LOG        0x10    /* libosmocore logging */
#define GSMTAP_TYPE_QC_DIAG             0x11    /* Qualcomm DIAG frame */
#define GSMTAP_TYPE_LTE_NAS             0x12    /* LTE Non-Access Stratum */

So to see the packets again, I would need to patch back wireshark (0x12 to 0x0e) or recompile the parser library used by Snoopsnitch to use the new header.

As the second way is preferred for the long run, I will try to include this patch in the next app release.

Cheers,

LM

> Hi all, 
> 
> Last time I've checked the pcap dump from Snoopsnitch while on LTE it was not parsed correctly by Wireshark. I remember seeing that you used the unofficial (?) gsmtap LTE types (0x0d and 0x0e). I've tried Altaf's patch to make Wireshark understand the dump I took: https://www.wireshark.org/lists/wireshark-dev/201501/msg00137.html but without much luck. So I wondered: has there been any improvement on this? Or am I missing something completely? I mean the pcap dump feature without Wireshark understanding the messages is not that great in my opinion. It worked fine for 3G and 2G dumps though. 
> If you can confirm it is still in the same state, and it is known not to work right now I'd be open to dig into it and submit patches possibly. 
> 
> Thanks! 
> Domi 


More information about the Gsmmap mailing list