Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2022-09-07 11:01:16 +0000

hoangsonk49 gravatar image

dissect_diameter_avp

Hi everyone, I'm using tshark to decode AVP of a Diameter file by a command:

tshark -r Diameter.pcap -T fields -e "diameter.Subscription-Id" >/dev/null 2>&1

"diameter.Subscription-Id" just to make sure that tshark go through the dissector of AVP and I can get values of all AVPs. The size of file is about 800 MB, so it takes time with output printed on screen and run at 100% CPU. So I change the command:

tshark -r Diameter.pcap >/dev/null 2>&1

In this way, it 's faster but tshark doesn't go through some AVPs. I tried to read the source code and found the differrence of two commands:

dissect_diameter_avp(...)
{
  ....
  avp_str = a->dissector_rfc(c,a,subtvb, diam_sub_dis_inf); 
  ....
}

Tshark goes to dissector_rfc in both of cases but in the first command, avp_str has value while it is NULL in the second command. I tried to find how dissector_rfc works but found nothing in source code. So please help if you have an experience on the source code: - How can I find the definition of dissector_rfc in the source code. In this way, I can change the code make avp_str is not NULL with the second command. - Is it able to force tshark to go to AVP without printing output

dissect_diameter_avp

Hi everyone, I'm using tshark to decode AVP of a Diameter file by a command:

tshark -r Diameter.pcap -T fields -e "diameter.Subscription-Id" >/dev/null 2>&1

"diameter.Subscription-Id" just to make sure that tshark go through the dissector of AVP and I can get values of all AVPs. The size of file is about 800 MB, so it takes time with output printed on screen and run at 100% CPU. So I change the command:

tshark -r Diameter.pcap >/dev/null 2>&1

In this way, it 's faster but tshark doesn't go through some AVPs. I tried to read the source code and found the differrence of two commands:

dissect_diameter_avp(...)
{
  ....
  avp_str = a->dissector_rfc(c,a,subtvb, diam_sub_dis_inf); 
  ....
}

Tshark goes to dissector_rfc in both of cases but in the first command, avp_str has value while it is NULL in the second command. I tried to find how dissector_rfc works but found nothing in source code. So please help if you have an experience on the source code: - code:

  • How can I find the definition of dissector_rfc in the source code. In this way, I can change the code make avp_str is not NULL with the second command. - command.
  • Is it able to force tshark to go to AVP without printing output

    output

dissect_diameter_avp

Hi everyone, I'm using tshark to decode AVP of a Diameter file by a command:

tshark -r Diameter.pcap -T fields -e "diameter.Subscription-Id" >/dev/null 2>&1

"diameter.Subscription-Id" just to make sure that tshark go through the dissector of AVP and I can get values of all AVPs. The size of file is about 800 MB, so it takes time with output printed on screen and run at 100% CPU. So I change the command:

tshark -r Diameter.pcap >/dev/null 2>&1

In this way, it 's faster but tshark doesn't go through some AVPs. I tried to read the source code and found the differrence of two commands:

dissect_diameter_avp(...)
{
  ....
  avp_str = a->dissector_rfc(c,a,subtvb, diam_sub_dis_inf); 
  ....
}

Tshark goes to dissector_rfc in both of cases but in the first command, avp_str has value while it is NULL in the second command. I tried to find how dissector_rfc works but found nothing in source code. So please help if you have an experience on the source code:

  • How can I find the definition of dissector_rfc in the source code. code? In this way, I can change the code make avp_str is not NULL with the second command.
  • Is it able to force tshark to go to AVP without printing outputoutput (to make it faster)?

dissect_diameter_avp

Hi everyone, I'm using tshark to decode AVP of a Diameter file by a command:

tshark -r Diameter.pcap -T fields -e "diameter.Subscription-Id" >/dev/null 2>&1

"diameter.Subscription-Id" just to make sure that tshark go through the dissector of AVP and I can get values of all AVPs. The size of file is about 800 MB, so it takes time with output printed on screen and run at 100% CPU. So I change the command:

tshark -r Diameter.pcap >/dev/null 2>&1

In this way, it 's faster but tshark doesn't go through some AVPs. I tried to read the source code and found the differrence of two commands:

dissect_diameter_avp(...)
{
  ....
  avp_str = a->dissector_rfc(c,a,subtvb, diam_sub_dis_inf); 
  ....
}

Tshark goes to dissector_rfc in both of cases but in the first command, avp_str has value while it is NULL in the second command. I tried to find how dissector_rfc works but found nothing in source code. So please help if you have an experience on the source code:

  • How can I find the definition of dissector_rfc in the source code? In this way, I can change the code make avp_str is not NULL with the second command.
  • Is it able to force tshark to go to AVP without printing output (to make it faster)?