This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark -e output - how to bind value to a protocol container?

0

Hello,

I'm using tshark to decode a protocol where I want to map the values of one attribute to the values of another by using the -T fields option and a -e flag for both attributes. The problem I have is that a single IP packet in this case can have multiple instances of this same protocol in the stack, and one of those two attributes doesn't have to be present in both messages in the single packet, so the output I get for some packets will be:

a,a b

My problem is that tshark's output seems to have no way to clarify if the first "a" attribute was in the same protocol container as b, or if it was the second "a" in the same protocol container as b.

The only solution I've been able to come up with so far for this is to use the pdml output option instead of -T fields, output the file and use XML parsing to map the protocol containers out. That got me out of a tight spot but it's extremely inefficient on resources and I'm thinking there's just got to be a better way. I'm not sure if I'd have to build a smarter script by experimenting with Lua or something but I'm hoping as much as possible that tshark has some way to accomplish this more easily as I'm just looking for the container mappings.

asked 23 May '13, 21:00

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%


2 Answers:

0

My problem is that tshark's output seems to have no way to clarify if the first "a" attribute was in the same protocol container as b,

Please you use a different aggregator character.

tshark -nr input.pcap -T fields -e flag -e flag -E aggregator=; -E separator=,

The output should then look similar to this:

a;;,a;b

You will be able to parse that, due to the empty field (;;).

See tshark -E ? for more options.

Regards
Kurt

answered 24 May '13, 02:07

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 24 May '13, 02:08

Kurt, that would only help if both fields are always present (and sometimes be empty). However, if one of the fields not present in one of the containers, you will still get:

a,a;b

Please also take a look at my answer to this question

(24 May '13, 02:38) SYN-bit ♦♦

Ah ... right. If the field does not exist (instead of being empty), it won't work that way. Sorry, I don't have a solution for that case.

Probably what you suggested in the other question (MATE, Lua or PDML parsing?)...

(24 May '13, 05:40) Kurt Knochner ♦

Thanks for the comments, but yes I think the only solution here will be for me to bite the bullet and recompile Wireshark with Lua, learn Lua, and write something that will match up those containers.

(25 May '13, 13:51) Quadratic

Can you post a sample capture file with a packet where all fields are present and then one packet where some fields are not there?

(27 May '13, 23:25) Kurt Knochner ♦

Sorry Kurt but I cannot as those packets are sensitive.

(31 May '13, 20:20) Quadratic

Just an update I thought I'd leave on this one. I found a slightly better solution to PDML - I just used the -O output of the protocol containers as input into a perl script that took care of the mappings. It's not perfect but it's far more efficient than PDML as it's quite a bit less text to print and parse.

(11 Jun '13, 21:23) Quadratic
showing 5 of 6 show 1 more comments

0

We have had the same problem. As a short answer, you can't! Using -T Fields there is no way to do this. With -T PDML you can achieve your goal, but that is not efficient.

We have worked on a solution, which preserves the protocol tree. It creates separate entries in output for each set.

In the following photo, you can see an example. In first photo there are two SCTP Chunks on top of IP layer. There are cases where there are 4 Chunks on top of IP layer (second photo)

Photo1: alt text

in these cases, our solution returns 2 (4 for second example) datasets, one for the blue set and one for the red set consisting of the values from all protocols (frame;eth;ip;sctp;m3ua;SCCP;TCAP;GSM-MAP; x 2).

We believe, this feature is needed more often but is not mentioned in the community; would really appreciate it if you could submit an enhancement request in the bugzilla-thingy and if this feature is accepted, we can then submit our solution easier, as it is now not a wildly popular request and we are afraid it would be rejected.

Photo2: alt text

answered 11 Jul '16, 02:22

arashdalir's gravatar image

arashdalir
51126
accept rate: 0%

edited 11 Jul '16, 02:23