Re: Diameter [Malformed Packet: GTPv2]

[Bo Xu <xubo.leo () gmail com>]

Hi ,

  The unknown vendor id seems not the reason , because this packet which has
the 81000 vendor , but there is no

prompt of "Malformed Packet: GTPv2".  I also attached the file .

 I also have tried added all the information in the dictionary.xml ,
nothing is changed .

Diameter Protocol
    Version: 0x01
    Length: 532
    Flags: 0x80
    Command Code: 272 Credit-Control
    ApplicationId: 4
    Hop-by-Hop Identifier: 0xa4481500
    End-to-End Identifier: 0x56b6802f
    [Answer In: 31]
    AVP: Session-Id(263) l=61 f=--- val=shcin.chinatelecom.com
;1310710240;231738395;14832:168
    AVP: Origin-Host(264) l=30 f=--- val=shcin.chinatelecom.com
    AVP: Origin-Realm(296) l=24 f=--- val=chinatelecom.com
    AVP: Destination-Realm(283) l=24 f=--- val=chinatelecom.com
    AVP: Auth-Application-Id(258) l=12 f=--- val=Diameter Credit Control (4)
    AVP: Service-Context-Id(461) l=36 f=--- val=version1.in () chinatelecom com
    AVP: CC-Request-Type(416) l=12 f=--- val=INITIAL_REQUEST (1)
    AVP: CC-Request-Number(415) l=12 f=--- val=0
    AVP: Event-Timestamp(55) l=12 f=--- val=Jul 15, 2011 06:25:08.000000000
UTC
    AVP: Subscription-Id(443) l=44 f=---
    AVP: Service-Information(873) l=240 f=V-- vnd=TGPP
        AVP Code: 873 Service-Information
        AVP Flags: 0x80
        AVP Length: 240
        AVP Vendor Id: 3GPP (10415)
        Service-Information:
00004f4c800000e400013c6800004f708000001900013c68...
            AVP: Unknown(20300) l=228 f=V-- vnd=81000
val=00004f708000001900013c68383631353030303937393833...
                AVP Code: 20300 Unknown
                AVP Flags: 0x80
                AVP Length: 228
                AVP Vendor Id: Unknown (81000)
                Value: 00004f708000001900013c68383631353030303937393833...


On Fri, Aug 26, 2011 at 1:46 AM, Anders Broman <a.broman () bredband net>wrote:

>  Bo Xu skrev 2011-08-25 18:21:
>
> Hello  guys ,
>
>          I am very confused that I got "Malformed Packet: GTPv2" in every
> Diameter (CCR) in version 1.6 .
>
>    I tried multiple versions of wireshark , I have found that  for the same
> err_sample.pcap which I have already attached , there is
>
>    no such annoying prompt in version 1.2.16 .   I read the WireShark
> manual , there is some explanation in this URL.
>
>
> http://www.wireshark.org/docs/wsug_html_chunked/AppMessages.html#id622336.
>
>    To my understanding , mostly there is something wrong in the packet
> content . Another proof is that other diameter packet is working
>
>    perfectly with wireshark 1.6.1 version .
>
>    Here comes my question :    does this   AVP(20600)  finally caused the
> "malformed packet" prompt because there is no data in this AVP?
>
>    Or is there anything wrong with the CCR packet content ?
>
>    FYI : Diameter Server Port is 6555 ,  and this server connects the
> multiple clients.
>
>      Service-Information:
> 00005078c000000c00013c680000036ac000001c000028af...
>             AVP: Unknown(20600) l=12 f=VM- vnd=81000
>                 AVP Code: 20600 Unknown
>                 AVP Flags: 0xc0
>                 AVP Length: 12
>                 AVP Vendor Id: Unknown (81000)
>                 [No data]
>                     [Expert Info (Warn/Undecoded): Data is empty]
>                         [Message: Data is empty]
>                         [Severity level: Warn]
>                         [Group: Undecoded]
>             AVP: PS-Information(874) l=28 f=VM- vnd=TGPP
> [Malformed Packet: GTPv2]
>     [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
>         [Message: Malformed Packet (Exception occurred)]
>         [Severity level: Error]
>         [Group: Malformed]
>
> BR
> Xu Bo
>
>  Hi,
> Some background, Wireshark dissects Diameter AVP with the help of xml files
> they can be found in the
> diameter directorry. For some AVP:s there is also C code to further dissect
> "Octet Strings" packet-diameter_3gpp.c.
>
> AVP 20600 with vendor id 81000 is not known to Wireshark, BTW the vendor id
> should be registered in which case Wireshark would show the vendor. There is
> no problem with the dissection of this AVP as far as I can tell.
> AVP 22 vendor 3GPP "3GPP-User-Location-Info" is specified as Octet String
> and
> /*
>  * TS 29.061 v9.2.0
>  * 16.4.7.2 Coding 3GPP Vendor-Specific RADIUS attributes
>  *
>  * For P-GW, the Geographic Location Type values and coding are defined as
> follows:
>  *
>  * 0        CGI
>  * 1        SAI
>  * 2        RAI
>  * 3-127    Spare for future use
>  * 128      TAI
>  * 129      ECGI
>  * 130      TAI and ECGI
>  * 131-255  Spare for future use
>  */
> This dissection fails as the content seems no to be correct according to
> the spec.
>
> Best regards
> Anders
>
>
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org> <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request () wireshark org?subject=unsubscribe <wireshark-users-request () 
> wireshark org?subject=unsubscribe>
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe

Attachment: voice_sample.zip
Description:

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe