How to remove previous layers from M3UA pcap?
I have a MTP3 pcap file that when I open in Wireshark shows
Frame1
Ethernet
IPV4
MTP2
MTP3
SCCP
TCAP
GSM MAP
I was able to modify the byte 20-23 that is the link-layer header type where in the original file was 01 00 00 00 that is 1=Ethernet. So, I modified from 01 00 00 00 to 8D 00 00 00, where 8D = 141 = MTP3 (http://www.tcpdump.org/linktypes.html)
D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 00 00 04 00 8D 00 00 00
After doing this and removing ethernet, IPV4 and MTP2 bytes the file was successfully understood by Wireshark showing only the following layers.
Frame1
MTP3
SCCP
TCAP
GSM MAP
Now I have another file that has the following layers:
Frame1
Ethernet
IPV4
SCTP
M3UA
SCCP
TCAP
GSM MAP
and I like to remove the ethernet, IPV4 and SCTP layers or at least ethernet and IPV4. I did similar changing the byte 20 from 01=Ethernet to F8 = 248 = SCTP and removing bytes for Ethernet, IPV4 but when I open the file in Wireshark this time says Malformed packet or gives error and cannot be opened.
I would like to get a file that shows only these layers.
Frame1
SCTP
M3UA
SCCP
TCAP
GSM MAP
or
Frame1
M3UA
SCCP
TCAP
GSM MAP
It is possible to do this?
wireshark layers pcap
add a comment |
I have a MTP3 pcap file that when I open in Wireshark shows
Frame1
Ethernet
IPV4
MTP2
MTP3
SCCP
TCAP
GSM MAP
I was able to modify the byte 20-23 that is the link-layer header type where in the original file was 01 00 00 00 that is 1=Ethernet. So, I modified from 01 00 00 00 to 8D 00 00 00, where 8D = 141 = MTP3 (http://www.tcpdump.org/linktypes.html)
D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 00 00 04 00 8D 00 00 00
After doing this and removing ethernet, IPV4 and MTP2 bytes the file was successfully understood by Wireshark showing only the following layers.
Frame1
MTP3
SCCP
TCAP
GSM MAP
Now I have another file that has the following layers:
Frame1
Ethernet
IPV4
SCTP
M3UA
SCCP
TCAP
GSM MAP
and I like to remove the ethernet, IPV4 and SCTP layers or at least ethernet and IPV4. I did similar changing the byte 20 from 01=Ethernet to F8 = 248 = SCTP and removing bytes for Ethernet, IPV4 but when I open the file in Wireshark this time says Malformed packet or gives error and cannot be opened.
I would like to get a file that shows only these layers.
Frame1
SCTP
M3UA
SCCP
TCAP
GSM MAP
or
Frame1
M3UA
SCCP
TCAP
GSM MAP
It is possible to do this?
wireshark layers pcap
add a comment |
I have a MTP3 pcap file that when I open in Wireshark shows
Frame1
Ethernet
IPV4
MTP2
MTP3
SCCP
TCAP
GSM MAP
I was able to modify the byte 20-23 that is the link-layer header type where in the original file was 01 00 00 00 that is 1=Ethernet. So, I modified from 01 00 00 00 to 8D 00 00 00, where 8D = 141 = MTP3 (http://www.tcpdump.org/linktypes.html)
D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 00 00 04 00 8D 00 00 00
After doing this and removing ethernet, IPV4 and MTP2 bytes the file was successfully understood by Wireshark showing only the following layers.
Frame1
MTP3
SCCP
TCAP
GSM MAP
Now I have another file that has the following layers:
Frame1
Ethernet
IPV4
SCTP
M3UA
SCCP
TCAP
GSM MAP
and I like to remove the ethernet, IPV4 and SCTP layers or at least ethernet and IPV4. I did similar changing the byte 20 from 01=Ethernet to F8 = 248 = SCTP and removing bytes for Ethernet, IPV4 but when I open the file in Wireshark this time says Malformed packet or gives error and cannot be opened.
I would like to get a file that shows only these layers.
Frame1
SCTP
M3UA
SCCP
TCAP
GSM MAP
or
Frame1
M3UA
SCCP
TCAP
GSM MAP
It is possible to do this?
wireshark layers pcap
I have a MTP3 pcap file that when I open in Wireshark shows
Frame1
Ethernet
IPV4
MTP2
MTP3
SCCP
TCAP
GSM MAP
I was able to modify the byte 20-23 that is the link-layer header type where in the original file was 01 00 00 00 that is 1=Ethernet. So, I modified from 01 00 00 00 to 8D 00 00 00, where 8D = 141 = MTP3 (http://www.tcpdump.org/linktypes.html)
D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 00 00 04 00 8D 00 00 00
After doing this and removing ethernet, IPV4 and MTP2 bytes the file was successfully understood by Wireshark showing only the following layers.
Frame1
MTP3
SCCP
TCAP
GSM MAP
Now I have another file that has the following layers:
Frame1
Ethernet
IPV4
SCTP
M3UA
SCCP
TCAP
GSM MAP
and I like to remove the ethernet, IPV4 and SCTP layers or at least ethernet and IPV4. I did similar changing the byte 20 from 01=Ethernet to F8 = 248 = SCTP and removing bytes for Ethernet, IPV4 but when I open the file in Wireshark this time says Malformed packet or gives error and cannot be opened.
I would like to get a file that shows only these layers.
Frame1
SCTP
M3UA
SCCP
TCAP
GSM MAP
or
Frame1
M3UA
SCCP
TCAP
GSM MAP
It is possible to do this?
wireshark layers pcap
wireshark layers pcap
asked Jan 22 at 21:44
Ger CasGer Cas
1062
1062
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1397185%2fhow-to-remove-previous-layers-from-m3ua-pcap%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1397185%2fhow-to-remove-previous-layers-from-m3ua-pcap%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown