MBIM wireshark dissector
Bjørn Mork
bjorn at mork.no
Tue Mar 25 03:24:41 PDT 2014
This might have been mentioned before, but if so then I have forgotten
all about it. And if I have forgotten, then maybe others have as well.
At least I can pretend that my memory isn't exceptionally much worse
than average... Anyway, repeating the info cannot harm.
I was looking at improving the simple LUA based QMI dissector Ilya made
a long time ago ( https://gist.github.com/ivoronin/2641557 ) when I
noticed that Pascal Quantin already has added a full featured MBIM
dissector. The comments indicate that this was made primarily for
dissecting USBPcap dumps on Windows8+, but it is properly plugged into
the usb dissector so it should work equally fine on with usbmon dumps on
Linux. I couldn't make the control message dissection work in my quick
test just now, so this possibly needs some fixing first.
Still, the parts that do work are already really useful. Simple example
decoding the bulk data. Note the advantages of having the normal IP
dissector taking care of the IP packets inside the NTB:
Frame 44: 352 bytes on wire (2816 bits), 352 bytes captured (2816 bits) on interface 0
Interface id: 0 (usbmon2)
Encapsulation type: USB packets with Linux header and padding (115)
Arrival Time: Mar 25, 2014 11:14:26.779805000 CET
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1395742466.779805000 seconds
[Time delta from previous captured frame: 0.062996000 seconds]
[Time delta from previous displayed frame: 0.062996000 seconds]
[Time since reference or first frame: 0.660590000 seconds]
Frame Number: 44
Frame Length: 352 bytes (2816 bits)
Capture Length: 352 bytes (2816 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: usb:mbim:ip:ipv6:icmpv6:data]
USB URB
URB id: 0xffff880230e47ec0
URB type: URB_SUBMIT ('S')
URB transfer type: URB_BULK (0x03)
Endpoint: 0x01, Direction: OUT
0... .... = Direction: OUT (0)
.000 0001 = Endpoint value: 1
Device: 31
URB bus id: 2
Device setup request: not relevant ('-')
Data: present (0)
URB sec: 1395742466
URB usec: 779805
URB status: Operation now in progress (-EINPROGRESS) (-115)
URB length [bytes]: 288
Data length [bytes]: 288
[bInterfaceClass: Unknown (0xffff)]
Unused Setup Header
Interval: 0
Start frame: 0
Copy of Transfer Flags: 0x00000000
Number of ISO descriptors: 0
Mobile Broadband Interface Model
NCM Transfer Header
Signature: NCMH
Header Length: 12
Sequence Number: 9
Block Length: 288
NDP Index: 12
NCM Datagram Pointer
Signature: IPS0
IPS Session Id: 0
Length: 16
Next NDP Index: 0
Datagram Index: 184
Datagram Length: 104
Datagram: 6000000000403aff2a022121000197e3b87aeffffe8f0d00...
Datagram Index: 0
Datagram Length: 0
[Number Of Datagrams: 1]
[Total Number Of Datagrams: 1]
Internet Protocol Version 6, Src: 2a02:2121:1:97e3:b87a:efff:fe8f:d00 (2a02:2121:1:97e3:b87a:efff:fe8f:d00), Dst: 2001:4641::1 (2001:4641::1)
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... 0000 00.. .... .... .... .... .... = Differentiated Services Field: Default (0x00000000)
.... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT): Not set
.... .... ...0 .... .... .... .... .... = ECN-CE: Not set
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 64
Next header: ICMPv6 (58)
Hop limit: 255
Source: 2a02:2121:1:97e3:b87a:efff:fe8f:d00 (2a02:2121:1:97e3:b87a:efff:fe8f:d00)
Destination: 2001:4641::1 (2001:4641::1)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Internet Control Message Protocol v6
Type: Echo (ping) request (128)
Code: 0
Checksum: 0x664d [correct]
Identifier: 0x3683
Sequence: 1
Data (56 bytes)
0000 02 57 31 53 00 00 00 00 e7 e0 0b 00 00 00 00 00 .W1S............
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
Data: 0257315300000000e7e00b00000000001011121314151617...
[Length: 56]
Frame 46: 208 bytes on wire (1664 bits), 208 bytes captured (1664 bits) on interface 0
Interface id: 0 (usbmon2)
Encapsulation type: USB packets with Linux header and padding (115)
Arrival Time: Mar 25, 2014 11:14:26.809194000 CET
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1395742466.809194000 seconds
[Time delta from previous captured frame: 0.029302000 seconds]
[Time delta from previous displayed frame: 0.029302000 seconds]
[Time since reference or first frame: 0.689979000 seconds]
Frame Number: 46
Frame Length: 208 bytes (1664 bits)
Capture Length: 208 bytes (1664 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: usb:mbim:ip:ipv6:icmpv6:data]
USB URB
URB id: 0xffff880230e47380
URB type: URB_COMPLETE ('C')
URB transfer type: URB_BULK (0x03)
Endpoint: 0x82, Direction: IN
1... .... = Direction: IN (1)
.000 0010 = Endpoint value: 2
Device: 31
URB bus id: 2
Device setup request: not relevant ('-')
Data: present (0)
URB sec: 1395742466
URB usec: 809194
URB status: Success (0)
URB length [bytes]: 144
Data length [bytes]: 144
[Request in: 43]
[Time from request: 0.092385000 seconds]
[bInterfaceClass: Unknown (0xffff)]
Unused Setup Header
Interval: 0
Start frame: 0
Copy of Transfer Flags: 0x00000200
Number of ISO descriptors: 0
Mobile Broadband Interface Model
NCM Transfer Header
Signature: NCMH
Header Length: 12
Sequence Number: 25088
Block Length: 144
NDP Index: 12
NCM Datagram Pointer
Signature: IPS0
IPS Session Id: 0
Length: 16
Next NDP Index: 0
Datagram Index: 28
Datagram Length: 104
Datagram: 6000000000403a3a20014641000000000000000000000001...
Datagram Index: 0
Datagram Length: 0
[Number Of Datagrams: 1]
[Total Number Of Datagrams: 1]
Internet Protocol Version 6, Src: 2001:4641::1 (2001:4641::1), Dst: 2a02:2121:1:97e3:b87a:efff:fe8f:d00 (2a02:2121:1:97e3:b87a:efff:fe8f:d00)
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... 0000 00.. .... .... .... .... .... = Differentiated Services Field: Default (0x00000000)
.... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT): Not set
.... .... ...0 .... .... .... .... .... = ECN-CE: Not set
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 64
Next header: ICMPv6 (58)
Hop limit: 58
Source: 2001:4641::1 (2001:4641::1)
Destination: 2a02:2121:1:97e3:b87a:efff:fe8f:d00 (2a02:2121:1:97e3:b87a:efff:fe8f:d00)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Internet Control Message Protocol v6
Type: Echo (ping) reply (129)
Code: 0
Checksum: 0x654d [correct]
Identifier: 0x3683
Sequence: 1
[Response To: 44]
[Response Time: 29.389 ms]
Data (56 bytes)
0000 02 57 31 53 00 00 00 00 e7 e0 0b 00 00 00 00 00 .W1S............
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
Data: 0257315300000000e7e00b00000000001011121314151617...
[Length: 56]
The MBIM dissector is available in the wireshark v1.11+ developement
releases.
Bjørn
More information about the libmbim-devel
mailing list