How to remove previous layers from M3UA pcap?












0















I have a MTP3 pcap file that when I open in Wireshark shows



Frame1
Ethernet
IPV4
MTP2
MTP3
SCCP
TCAP
GSM MAP



I was able to modify the byte 20-23 that is the link-layer header type where in the original file was 01 00 00 00 that is 1=Ethernet. So, I modified from 01 00 00 00 to 8D 00 00 00, where 8D = 141 = MTP3 (http://www.tcpdump.org/linktypes.html)



D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 00 00 04 00 8D 00 00 00


After doing this and removing ethernet, IPV4 and MTP2 bytes the file was successfully understood by Wireshark showing only the following layers.



Frame1
MTP3
SCCP
TCAP
GSM MAP



Now I have another file that has the following layers:



Frame1
Ethernet
IPV4
SCTP
M3UA
SCCP
TCAP
GSM MAP



and I like to remove the ethernet, IPV4 and SCTP layers or at least ethernet and IPV4. I did similar changing the byte 20 from 01=Ethernet to F8 = 248 = SCTP and removing bytes for Ethernet, IPV4 but when I open the file in Wireshark this time says Malformed packet or gives error and cannot be opened.



I would like to get a file that shows only these layers.



Frame1
SCTP
M3UA
SCCP
TCAP
GSM MAP



or



Frame1
M3UA
SCCP
TCAP
GSM MAP



It is possible to do this?






wireshark layers pcap







share|improve this question



























    0















    I have a MTP3 pcap file that when I open in Wireshark shows



    Frame1
    Ethernet
    IPV4
    MTP2
    MTP3
    SCCP
    TCAP
    GSM MAP



    I was able to modify the byte 20-23 that is the link-layer header type where in the original file was 01 00 00 00 that is 1=Ethernet. So, I modified from 01 00 00 00 to 8D 00 00 00, where 8D = 141 = MTP3 (http://www.tcpdump.org/linktypes.html)



    D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 00 00 04 00 8D 00 00 00


    After doing this and removing ethernet, IPV4 and MTP2 bytes the file was successfully understood by Wireshark showing only the following layers.



    Frame1
    MTP3
    SCCP
    TCAP
    GSM MAP



    Now I have another file that has the following layers:



    Frame1
    Ethernet
    IPV4
    SCTP
    M3UA
    SCCP
    TCAP
    GSM MAP



    and I like to remove the ethernet, IPV4 and SCTP layers or at least ethernet and IPV4. I did similar changing the byte 20 from 01=Ethernet to F8 = 248 = SCTP and removing bytes for Ethernet, IPV4 but when I open the file in Wireshark this time says Malformed packet or gives error and cannot be opened.



    I would like to get a file that shows only these layers.



    Frame1
    SCTP
    M3UA
    SCCP
    TCAP
    GSM MAP



    or



    Frame1
    M3UA
    SCCP
    TCAP
    GSM MAP



    It is possible to do this?






    wireshark layers pcap







    share|improve this question

























      0












      0








      0








      I have a MTP3 pcap file that when I open in Wireshark shows



      Frame1
      Ethernet
      IPV4
      MTP2
      MTP3
      SCCP
      TCAP
      GSM MAP



      I was able to modify the byte 20-23 that is the link-layer header type where in the original file was 01 00 00 00 that is 1=Ethernet. So, I modified from 01 00 00 00 to 8D 00 00 00, where 8D = 141 = MTP3 (http://www.tcpdump.org/linktypes.html)



      D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 00 00 04 00 8D 00 00 00


      After doing this and removing ethernet, IPV4 and MTP2 bytes the file was successfully understood by Wireshark showing only the following layers.



      Frame1
      MTP3
      SCCP
      TCAP
      GSM MAP



      Now I have another file that has the following layers:



      Frame1
      Ethernet
      IPV4
      SCTP
      M3UA
      SCCP
      TCAP
      GSM MAP



      and I like to remove the ethernet, IPV4 and SCTP layers or at least ethernet and IPV4. I did similar changing the byte 20 from 01=Ethernet to F8 = 248 = SCTP and removing bytes for Ethernet, IPV4 but when I open the file in Wireshark this time says Malformed packet or gives error and cannot be opened.



      I would like to get a file that shows only these layers.



      Frame1
      SCTP
      M3UA
      SCCP
      TCAP
      GSM MAP



      or



      Frame1
      M3UA
      SCCP
      TCAP
      GSM MAP



      It is possible to do this?






      wireshark layers pcap







      share|improve this question














      I have a MTP3 pcap file that when I open in Wireshark shows



      Frame1
      Ethernet
      IPV4
      MTP2
      MTP3
      SCCP
      TCAP
      GSM MAP



      I was able to modify the byte 20-23 that is the link-layer header type where in the original file was 01 00 00 00 that is 1=Ethernet. So, I modified from 01 00 00 00 to 8D 00 00 00, where 8D = 141 = MTP3 (http://www.tcpdump.org/linktypes.html)



      D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 00 00 04 00 8D 00 00 00


      After doing this and removing ethernet, IPV4 and MTP2 bytes the file was successfully understood by Wireshark showing only the following layers.



      Frame1
      MTP3
      SCCP
      TCAP
      GSM MAP



      Now I have another file that has the following layers:



      Frame1
      Ethernet
      IPV4
      SCTP
      M3UA
      SCCP
      TCAP
      GSM MAP



      and I like to remove the ethernet, IPV4 and SCTP layers or at least ethernet and IPV4. I did similar changing the byte 20 from 01=Ethernet to F8 = 248 = SCTP and removing bytes for Ethernet, IPV4 but when I open the file in Wireshark this time says Malformed packet or gives error and cannot be opened.



      I would like to get a file that shows only these layers.



      Frame1
      SCTP
      M3UA
      SCCP
      TCAP
      GSM MAP



      or



      Frame1
      M3UA
      SCCP
      TCAP
      GSM MAP



      It is possible to do this?






      wireshark layers pcap




      wireshark layers pcap






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 22 at 21:44









      Ger CasGer Cas

      1062




      1062






















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1397185%2fhow-to-remove-previous-layers-from-m3ua-pcap%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1397185%2fhow-to-remove-previous-layers-from-m3ua-pcap%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Mouse cursor on multiple screens with different PPI

          Image
          24 6 I'm using a 4K display along with a Full HD display with both almost the same physical size and it brings some mouse cursor problems to me working with it on the default Windows settings. As the mouse movement speed depends on the pixels, it's very slow on the 4K display and very fast on the Full HD display. Is there a windows setting or application to move the mouse depending on the visible distance and not the pixels? Another problem is the virtual wall between the screens I can't move the cursor from the upper half of the 4K screen to the Full HD screen: How is it possible to virtually stretch the cursor transition area of the Full HD screen to the one of the 4K monitor? The smallest problem, nevertheless painful, is the cursor size which varies between the screens. Is there a way ...
          Read more

          Agildo Ribeiro

          Image
          Agildo Ribeiro Agildo em 2015 Nome completo Agildo da Gama Barata Ribeiro Filho Nascimento 26 de abril de 1932 Rio de Janeiro, DF Morte 28 de abril de 2018 (86 anos) Rio de Janeiro, RJ Ocupação Ator e humorista ...
          Read more

          Sometime when accessing a menu: “Ubuntu 16.04 has experienced an internal error”

          Image
          0 Sometime, when I try to access some menu (may be inside an application or desktop, doesn't matter), I got the following error. The menu and submenu disappear for a while. After that, I can continue using the system. And the lspci gave me the following output: $ lspci -k | grep -EA3 'VGA|3D|Display' 00:02.0 VGA compatible controller: Intel Corporation Haswell-ULT Integrated Graphics Controller (rev 0b) DeviceName: Onboard IGD Subsystem: Dell Haswell-ULT Integrated Graphics Controller Kernel driver in use: i915 unity compiz error-handling share | improve this question edited Mar 5 at 16:09 ...
          Read more