Wireshark mailing list archives
TCAP SRT incorrectly matches TC_BEGINs and TC_ENDs
From: Conall Prendergast <conall.prendergast () anam com>
Date: Wed, 24 May 2017 17:19:07 +0100
Hi All, I have been analyzing a TCAP trace with wireshark with the tcap.srt and tcap.persistentsrt options set to "TRUE". This should correctly match TCAP Begins (using 2 pass analysis) with their associated TCAP Ends, and vise-versa. I have attached two files, "correct_matches.pcap" and "incorrect_matches.pcap", that demonstrate some spurious behavior. These two files are from the same feed, and "correct_matches.pcap" contains packets 5, 11, 15, and 19 from "incorrect_matches.pcap". "correct_matches.pcap" will correctly match packet 1 (TC_BEGIN) with packet 4 (TC_END), and packets 2 and 3 similarly, however, when these packets are analysed with the rest of the feed (incorrect_matches.pcap), these very same packets do not match up. Instead, packet 5 (packet 1 from "correct_matches") matches with packet 15 (3) instead of packet 19 (4). As you can guess, this is unexpected behavior. So in summary, correct_maches.pcap contains: 1 => 4 2 => 3 incorrect_matches contains: 5 => 15 11 => x x => 19 and the mapping of correct_matches to incorrect_matches is: 1 => 5 2 => 11 3 => 15 4 => 19 Any and all help is appreciated. Thanks, Conall -- 3 Custom House Plaza | IFSC | Dublin | D01 VY76 | Ireland | Tel. +353 (1) 291 0138 | Fax. +353 (1) 291 0131 Asia Office - Suite 12.03, Level 12, Centrepoint North | Mid Valley City | 59200 Kuala Lumpur | Malaysia | Tel. +603 2201 3375 The information contained in this e-mail transmission is confidential and may be privileged. It is for the intended recipient only. Any views or opinions present are solely those of the author. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail. If you have received this e-mail in error, please immediately notify us by telephone at 353-1-2910138 or e-mail mailadmin () anam com and delete the email from your system
Attachment:
correct_matches.pcap
Description:
Attachment:
incorrect_matches.pcap
Description:
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- TCAP SRT incorrectly matches TC_BEGINs and TC_ENDs Conall Prendergast (May 25)