Wireshark filter out watchdog (DWR/DWA) and CER/CEA
diameter and diameter.cmd.code != 280 and diameter.cmd.code != 257
Filter out accounting request/answer (ACR/ACA) and destination IP
diameter.cmd.code == 271 && ip.dst == 10.201.63.37
Latest Updates: wireshark RSS
-
Arif
-
Arif
In Wireshark
If coloring of TCP analysis is disturbing i.e. black higlights, uncheck the “Validate the TCP checksum if possible” in Edit > Preferences > Protocols > TCP -
Arif
For SCAPv1 diameter TCP port in Wireshark Edit > Preferences > Protocols must be altered from standard 3868 to 1812
-
Arif
Dictionaries for diameter
/usr/share/wireshark/diameter
After backup original dictionaries, to use SCAPv1 of Ericsson’ proprietary diameter protocol, replace them with:dcca.xml ericsson.xml nasreq.xml tgpp.xml dictionary.dtd imscxdx.xml pps.xml vfe.xml dictionary.xml mobileipv4.xml sunping.xml
Original files were
chargecontrol.xml Ericsson.xml imscxdx.xml sip.xml TGPPRx.xml dictionary.dtd etsie2e4.xml mobileipv4.xml sunping.xml TGPPSh.xml dictionary.xml gqpolicy.xml nasreq.xml TGPPGmb.xml
-
Arif
tcp.flags == 0x18 and ip.src == 10.201.62.249 and ip.dst == 10.201.62.78Filter out PSH ACK (flags 0x18: “Push” and “Acknowledgement”). In UCIP XML-RPC, it carries response from AIR server e.g. the following stream
HTTP/1.1 401 Access to /Air denied for this user ...
Content-Length: 366
Content-Type: text/html
Date: Fri, 26 Mar 2010 07:52:55 GMT
Server -
Arif
Filter out initial SYN (flags 0x02) of TCP connection from specific source and destination:
tcp.flags == 0x02 and ip.src == 10.201.62.78 and ip.dst == 10.201.62.249A series of sync packets will appear as:
1 2 3 4 5 6 7
No. Time Source Destination Protocol Info 1 0.000000 10.201.62.78 10.201.62.249 TCP 53161 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 4 0.001124 10.201.62.78 10.201.62.249 TCP 53162 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 7 0.001556 10.201.62.78 10.201.62.249 TCP 53163 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 16 0.006334 10.201.62.78 10.201.62.249 TCP 53164 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 20 0.009590 10.201.62.78 10.201.62.249 TCP 53165 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 24 0.011687 10.201.62.78 10.201.62.249 TCP 53166 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0In the above specific case, multiple ports i.e. 53163, 53162, etc. is starting conversation with port 10010 by sending out sync packets.