[Gsmmap] Snopsnitch and Wireshark on 4G

Tomcsányi, Domonkos domi at tomcsanyi.net
Tue May 8 11:52:18 CEST 2018


Hello Markus, hello Luca,

Thank you very much for both of your inputs. I've verified that installing the latest version of Wireshark and flipping the type byte from 0x0e to 0x12 via hexedit made parsing happen just fine for a packet.
I'll use this trick until Snoopsnitch is updated.

One thing I have noticed that Snoopsnitch seems to be only looking at signalling data, is this a correct assumption to make? I wanted to sniff a VoLTE attach procedure, but only the NAS layer was captured, which is just a regular LTE attach. This happened, if I'm correct, because the VoLTE registration runs on a data bearer. It is not an issue at all, I just wanted to check if my understanding is correct.

I'm really grateful for your support, and looking forward to contribute later if possible and needed.

Kind regards,
Domi

----- Original Message -----
> From: "Markus Gräb" <m_graeb11 at cs.uni-kl.de>
> To: "Domonkos Tomcsányi" <domi at tomcsanyi.net>
> Sent: Monday, May 7, 2018 12:57:35 PM
> Subject: Re: [Gsmmap] Snopsnitch and Wireshark on 4G

> Hello Domi,
> 
> I haven't used wireshark and gsmmapfor a while, so hopefully is the information
> correct.
> 
> You have to configure wireshark to use the corrector dissector for the protocol.
> But I currently have no dump on my hand to try it out myself.
> 
> I think with the current version of wireshark you do not need the patch.
> 
> Hopefully I could help.
> 
> Best Regards
> Markus
> 
> 
> On 01.05.2018 04:25, Tomcsányi, Domonkos wrote:
>> Hi all,
>> 
>> Last time I've checked the pcap dump from Snoopsnitch while on LTE it was not
>> parsed correctly by Wireshark. I remember seeing that you used the unofficial
>> (?) gsmtap LTE types (0x0d and 0x0e). I've tried Altaf's patch to make
>> Wireshark understand the dump I took:
>> https://www.wireshark.org/lists/wireshark-dev/201501/msg00137.html but without
>> much luck. So I wondered: has there been any improvement on this? Or am I
>> missing something completely? I mean the pcap dump feature without Wireshark
>> understanding the messages is not that great in my opinion. It worked fine for
>> 3G and 2G dumps though.
>> If you can confirm it is still in the same state, and it is known not to work
>> right now I'd be open to dig into it and submit patches possibly.
>> 
>> Thanks!
>> Domi
>> 
>> 
>> _______________________________________________
>> Gsmmap mailing list
>> Gsmmap at lists.srlabs.de
>> https://lists.srlabs.de/cgi-bin/mailman/listinfo/gsmmap


More information about the Gsmmap mailing list