Reading Tektronix K12xx/K15/K18 .rf5 files

Wireshark supports reading most Tektronix rf5 files generated with the k12 and k15 Protocol Analyzers.

The code in the trunk has some support for files from k18 analyzers, based on the file attached to bug 9455. This change is included in Wireshark versions 1.12.0 and later. If that version still doesn't handle it, file another bug on the Wireshark Bugzilla, and attach the capture file, so that more reverse-engineering can be done.

In order to be able to read an rf5 file you need to instruct Wireshark regarding the contents of the file.

The k1x Protocol analyzers use .stk files to describe the payload to be found in each interface. These contain information about the protocol stack to be found in a certain channel (or port). Wireshark k1x support does not read these files (yet), but it needs to know which encapsulation protocol (SSCOP, LLC, MTP2, IUUP, X.25, etc...).

In order to decode the contents of an rf5 file wireshark uses a table that relates (a part of) the name of the stack file to the lowest protocol n the stack.

Editing the stack-to-protocol table

You can edit the table by going to Preferences->Protocols->k12xx and clicking Edit... to edit the 'K12 protocols' table.

There you can add the stack-to-protocol mappings.

Add an entry to the table and set match to an identifying part of the stk filename, and set protos to the lowest layer protocol in packets using that stack.

Examples entries

match protos
sigtran eth_withoutfcs
isup mtp2
gsm mtp2
aal2l3 sscop:alcap
umts_iu sscop:sscf-nni
gprs_gb fr

Known Bugs




Imported from https://wiki.wireshark.org/K12 on 2020-08-11 23:15:42 UTC