This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.
Differences between revisions 10 and 11
Revision 10 as of 2008-12-12 21:13:22
Size: 3838
Editor: stemplar
Comment:
Revision 11 as of 2008-12-12 21:44:56
Size: 4975
Editor: stemplar
Comment:
Deletions are marked like this. Additions are marked like this.
Line 19: Line 19:
Starting with wireshark 1.1.xx, the DICOM dissector has many new features. is now fully functional. Also add info of additional Wireshark features where appropriate, like special statistics of this protocol. Starting with wireshark 1.1.xx, the DICOM dissector has many new features.

 * It should resemble almost all PDUs
 * It supports multiple PDVs per PDU
 * It decodes all tags defined in the standard 2008
 * It adds 'Expert Infos', if Associations are aborted or if
 * It supports to export captured DICOM objects as files
 * UIDs are shown in clear text

=== DICOM Export ===

First make sure to have a valid DICOM capture, including Association Request. Then, select File -> Export -> Objects -> DICOM.



=== Conformance statement ===

For the DICOM Export, following UIDs are used. Since the SOP Class UID (0008,0016) and SOP Instance UID (0008,0018) are mandatory elements in the meta header, they are created if needed.

 Implementation UID (0002,0012)

 {{{
1.2.826.0.1.3680043.8.427.10
}}}

 Artificial Media Storage SOP Class UID for exported command PDVs
 {{{
1.2.826.0.1.3680043.8.427.11.1
}}}

 Artificial Media Storage SOP Instance UID for exported command PDVs
 {{{
1.2.826.0.1.3680043.8.427.11.2.nn.m
}}}
Line 31: Line 64:

 *'''Min. item size in bytes to export:''' Do not show items below this size in the export list. Set it to 0, to see DICOM commands and responses in the list. Set it higher, to just export DICOM IODs (i.e. CT Images, RT Structures). DICOM commands are prefixed with a Meta Header as well.

Digital Imaging and Communications in Medicine (DICOM)

Wikipedia has a very good high level description about DICOM and the protocol specifications can be found at the DICOM Homepage. This page will focus on wireshark specific topics.

History

XXX - add a brief description of DICOM history

Protocol dependencies

  • TCP: Typically, DICOM uses TCP as its transport protocol. The well known TCP port for DICOM traffic is 104.

Example traffic

Following screenshot shows a DICOM communication containing a C-ECHO followed by C-STORE request.

dicom_assoc_accept.png

The accepted or rejected presentation contexts are decoded, to quickly identify negotiation issues.

Wireshark

Starting with wireshark 1.1.xx, the DICOM dissector has many new features.

  • It should resemble almost all PDUs
  • It supports multiple PDVs per PDU
  • It decodes all tags defined in the standard 2008
  • It adds 'Expert Infos', if Associations are aborted or if
  • It supports to export captured DICOM objects as files
  • UIDs are shown in clear text

DICOM Export

First make sure to have a valid DICOM capture, including Association Request. Then, select File -> Export -> Objects -> DICOM.

Conformance statement

For the DICOM Export, following UIDs are used. Since the SOP Class UID (0008,0016) and SOP Instance UID (0008,0018) are mandatory elements in the meta header, they are created if needed.

  • Implementation UID (0002,0012)
    1.2.826.0.1.3680043.8.427.10
    Artificial Media Storage SOP Class UID for exported command PDVs
    1.2.826.0.1.3680043.8.427.11.1
    Artificial Media Storage SOP Instance UID for exported command PDVs
    1.2.826.0.1.3680043.8.427.11.2.nn.m

Preference Settings

Following settings are available to influence DICOM dissection its data display.

dicom_default_pref.png

  • DICOM Ports: Comma separated list with TCP ports to decode. A range can also be specified. Example: 104, 3200, 50000-51000

  • Search on any TCP Port: When enabled, the DICOM dissector will parse all TCP packets not handled by any other dissector and look for an association request. This is disabled by default, to preserve resources for the non DICOM community. If you frequently look at DICOM traffic, enable this setting. If despite this enabled, the communication is still not recognized as a DICOM stream, add the TCP port to the list above.

  • Create Meta Header on Export: For exported PDUs, create a DICOM File Meta Header according to part 10. If the captured PDV does not contain a SOP Class UID and SOP Instance UID (e.g. for command PDVs), wireshark specific ones will be created. Meta headers are common now-a-days.

  • Min. item size in bytes to export: Do not show items below this size in the export list. Set it to 0, to see DICOM commands and responses in the list. Set it higher, to just export DICOM IODs (i.e. CT Images, RT Structures). DICOM commands are prefixed with a Meta Header as well.

  • Create subtrees for Sequences and Items: This is a matter of personal taste. If enabled, each sequences and items are shown in a hierarchy as show next. Since IODs can span multiple PDUs, sequence items in subsequent PDUs, may appear as root object. For a few items, containing tags are summarized and shown as an item description. Deselect this option, if you prefer a flat display or e.g. when using TShark to create a text output.dicom_seq_tree.png

  • Create subtrees for DICOM Tags: This is a matter of personal taste. By default it is disabled, as it does not add much information. However, when one wants to see, the detailed tag decoding, or more important, if one wants to search for very specific DICOM attributes, enable this setting.dicom_tag_tree.png

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

Display Filter

A complete list of DICOM display filter fields can be found in the display filter reference

  • Show only the DICOM based traffic:
     dicom

Capture Filter

You cannot directly filter DICOM protocols while capturing. However, if you know the TCP port used (see above), you can filter on that one.

  • Capture only the DICOM traffic over the default port (80):
     tcp port 104

Discussion

Protocols/dicom (last edited 2010-04-06 21:25:33 by GuyHarris)