ISO 8583 Financial transaction card originated messages — 'Interchange message specifications' is the International Organization for Standardization standard for systems that exchange electronic transactions made by cardholders using payment cards. The ISO8583 standard specifies a message format that describes credit card and debit card data that is exchanged between devices and card issuers.
The ISO 8583-1 dissector is available in the current Wireshark master branch. As of 2016-03-02 it supports:
|ISO 8583 version||Wire protocol||Status||File|
|ISO 8583-1:1987||0x01||aprox. 70%||epan/dissectors/packet-iso8583.c|
|ISO 8583-1:1993||0x02||aprox. 70%||epan/dissectors/packet-iso8583.c|
There are some challenges to build a dissector for this message specification. The first one is that it’s not a network protocol, that is, it covers only the message format, so the messages are usually transmitted preceded by a TPDU chosen by whoever was responsible to implement the communication.
TCP: Typically, ISO 8583-1 uses TCP as its transport protocol. There is no IANA port reserved for it and it must be configured in the Preferences window. Usually the ISO 8583-1 message is preceded by a 2 bytes length TPDU when used with TCP. This implementation covers exactly this type of implementation accepting big endian and little endian for this length field.
Encoding: Different encoding could be used for numeric, binary or string fields. This dissector supports numeric values represented as ASCII digits ('0' - '9') or numeric values inside nibbles. Binary data could be encoded as ASCII Hex digits ('0' - '9' 'A' - 'F') or as raw data (no encoding). String fields are ASCII encoded.
The SampleCaptures page has example capture files.
You need to change the default port (0) to something like 5070. ISO 8583 TCP port in the user's preferences file (~/.wireshark/preferences):
# ISO 8583-1 TCP port if other than the default # A decimal number iso8583.tcp.port: 5070
On the Preferences Window you can also select the encoding for Numeric and Binary data and also the endianness of the 2 byte length TPDU.
A complete list of ISO 8583-1 display filter fields can be found in the display filter reference or listed with the following command:
tshark -G fields | grep -i iso8583
Show only the iso8583-1 based traffic:
P ISO 8583-1 iso8583 F Message length iso8583.len FT_UINT16 iso8583 BASE_DEC 0x0 Message length field F MTI iso8583.mti FT_STRING iso8583 0x0 Message Type Idicator (MTI) F Bitmap 1 iso8583.map1 FT_STRING iso8583 0x0 First Bitmap (hex representation) F Bitmap 2 iso8583.map2 FT_STRING iso8583 0x0 Second Bitmap (hex representation) (.. lots of output ..)
You cannot directly filter ISO 8583-1 messages while capturing. However, if you know the TCP port used (see above), you can filter on that one.
Capture only the ISO 8583-1 traffic over the port (5070):
tcp port 5070
Check the output of the following command:
$ tshark -G protocols | grep -i iso8583 ISO 8583-1 ISO 8583 iso8583
You may have to go to the Preferences to change the default port associated with the ISO 8583-1 dissector. The dissector ships with port 0 as the default port and you should configure the correct port where is your traffic. See the Preferences Settings section above.
Other problems are related with the encoding of the messages. Make sure how the numeric fields and binary data are encoded and select the options accordingly.
The last thing you want to make sure is if your message has a 2 byte length preceding it and if the endianness is the same configured in the Preference Window.
Imported from https://wiki.wireshark.org/ISO8583-1 on 2020-08-11 23:15:29 UTC