how to tshark mms packets which are ISO/FDIS 9506-2

The solution is to use the preference files in ~/.wireshark

When you add a user context entry in the Wireshark GUI, it appears in the file ~/.wireshark/pres_context_list (or if you use a profile, in ~/.wireshark/profiles/PROFILENAME/pres_context_list). These are automatically picked up by tshark.

In tshark, you can use a profile by setting the -C PROFILENAME command line options.

The pres_context_list file contains the table in the following format:

# This file is automatically generated, DO NOT MODIFY.
"3","1.0.9506.2.1"

You can use a script to populate this table, in a profile if you want to keep out from wireshark preferences:

mkdir -p ~/.wireshark/profiles/tshark-mms
echo "\"3\",\"1.0.9506.2.1\"" >> ~/.wireshark/profiles/tshark-mms/pres_context_list

Then, run tshark with:

tshak -C tshark-mms -r d:sg1.pcap -V -T text > d:sg1.txt

I waanted to do exactly the same thing, and it worked for me. Adjust the values in the table for your specific case. You can find the mapping between the identifier 3 and 1.0.9506.2.1 (that's what I have in my specific case) using the following steps:

• start the capture before the MMS session starts
• Start the MMS session on the network
• Stop the capture
• Look at the very first MMS message captured (you can use the Filter TCP stream feature to locate it easily, the protocol column in wireshark must show "MMS")

• The mapping can be found in:

  • the pres protocol "ISO 8823 OSI Presentation Protocol"
  • pres.cptype: "CP-type"
  • pres.normal_mode_parameters: "normal-mode-parameters"
  • pres.presentation_context_definition_list: "presentation-context-definition-list: 2 items"
  • one of pres.Context_list_item: "Context-list item"

Look at pres.presentation_context_identifier and pres.abstract_syntax_name. These are the two columns of the context list table.