Capturing SS7 with wireshark or tshark

Posted on August 10, 2009 | 2 Comments

I often use wireshark to look at SS7 signalling on E1 links. Up until today, I’ve always done that by capturing the signalling (from a GTH), then converting the captured data to libpcap format and finally loading the file into wireshark.

Someone showed me a better way today: wireshark can read from a pipe or from standard input. That lets me see and filter the packets in wireshark in real time. Here’s how to do it, using the save_to_pcap demo program (included in gth_c_examples):

> ./save_to_pcap gth21 1A 2A 16 - | wireshark -k -i -
capturing packets, press ^C to abort
saving capture to stdout

The same thing works for tshark:

 >./save_to_pcap gth21 1A 2A 16 - | tshark -V -i -
capturing packets, press ^C to abort
saving capture to stdout
Capturing on -
Frame 1 (15 bytes on wire, 15 bytes captured)
    Arrival Time: Aug 10, 2009 20:38:29.388000000
...
   Message Transfer Part Level 2
    .000 1101 = Backward sequence number: 13
    1... .... = Backward indicator bit: 1
    .011 1000 = Forward sequence number: 56
    1... .... = Forward indicator bit: 1
    ..00 0000 = Length Indicator: 0
    00.. .... = Spare: 0
...

A few rough edges

Piping to wireshark/tshark works on all the *nixes, i.e. linux, BSD, OSX, Solaris, but for some reason it doesn’t work on windows. On Windows, you have to save the pcap files and open them. I’m not sure why that is, but then again I rarely use windows, so maybe there’s some easy way around that. If someone knows, send me some mail, or comment.

Wireshark needs both the -i and -k switches for piping to work. That took me a while to figure out. Seems unnecessary.

On some older (as of August 2009) versions of wireshark, possibly in combination with older libraries, the “-i -” switch doesn’t work, at least according to google, even though the tshark version works. Both work fine for me on Debian Linux.

Advertisement
This entry was posted in Questions from customers, Telecom signalling. Bookmark the permalink.

2 Responses to Capturing SS7 with wireshark or tshark

  1. Embza | September 15, 2009 at 03:09 | Reply

    Ow thanks, I was looking for this to make sure wireshark decodes ss7 protocols above MTP-2.
    So it decodes ? yeah?
    what do u think is the maximum and minimum capacity wireshark can support when it accepts packets from the probes?

    Thanks agian

    • Matt Lang | September 15, 2009 at 05:48 | Reply

      Sure, wireshark decodes many of the SS7 protocols above MTP-2. I mostly use it for looking at ISUP. Here’s a page with a screenshot of wireshark decoding ISUP.

      The wireshark wiki has a nice chart of a stack showing all the protocols people have implemented for it.

      I haven’t investigated performance. I wouldn’t expect it to be a problem. Wireshark can keep up with reasonably heavily loaded ethernet links, so a few channels of SS7 on an E1 should be no problem at all. I’ll try it next time I’m doing something related and report.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s