Getting specific fields from packets

asked 2019-11-12 19:59:28 +0000

menticol
9 ●4 ●10 ●9

updated 2019-11-12 20:48:50 +0000

Guy Harris
19890 ●3 ●659 ●207

Hey guys!

I currently have a huge .pcap file that shows the following information after applying the filter gtp.message == 0x10

197 1.748402 201.144.195.25 201.157.107.1 GTP 216 Create PDP context request
771 6.475531 201.144.195.86 201.157.107.1 GTP 216 Create PDP context request
809 6.640840 201.134.179.88 201.157.107.1 GTP 224 Create PDP context request
177 14.61336 201.144.195.86 201.157.107.1 GTP 216 Create PDP context request
212 17.48780 201.134.179.86 201.157.107.1 GTP 221 Create PDP context request

...plus hundreds and hundreds more.

When you check inside each packet, there's are some values I'm looking for:

e212.imsi
e164.msisdn
gtp.lac
gtp.sai_sac

I need to extract these values for each "Create PDP context request" packet displayed. The problem is, doing it manually is extremely time-consuming and my right-hand hurts at this point (NSFW not intended).

Is there a way on which I could make a batch script or filter to recursively extract the e212.imsi and other fields found inside each "Create PDP context request" packet?

Thank you very much!

PS: Sorry for the absence of screenshots, the platform doesn't allow me to use them yet.

answered 2019-11-12 20:12:01 +0000

cmaynard

11115 ●11 ●317 ●165 https://www.igt.com/

updated 2019-11-13 00:13:53 +0000

I would recommend using tshark for this purpose. For example:

tshark -r huge.pcap -Y "gtp.message == 0x10" -T fields -E header=y -E separator=, -E quote=d -e frame.number -e e212.imsi -e e164.msisdn -e gtp.lac -e gtp.sai_sac > huge.csv

Add as many fields as you need using -e.

EDIT I changed the separator from a tab to a comma, which is what I originally intended for a .csv file.

edit flag offensive delete link

Comments

Note that depending on the shell used you may have to quote some of the arguments, e.g. -E "header=y"

grahamb ( 2019-11-12 21:14:23 +0000 )edit

Thank you very much Cmaynard and Grahamb by your answers!

I'm trying the commands now, following this syntaxis:

C:\Program Files\Wireshark>tshark -r "C:\Capturas\20191111_14_45-MIRR-BKP.pcap" -Y "gtp.message == 0x10" -T fields -E "header=y" -E "separator=," -E "quote=d" -e "frame.number" -e "e212.imsi" -e "e164.msisdn" -e "gtp.lac" -e "gtp.sai_sac" > "C:\Capturas\huge.csv"

EDIT1: I was having trouble with a message error "tshark: The file [filename] appears to have been cut short in the middle of a packet." but realized it does not interfere with the command inner workings.

EDIT 2: I only changed the separator from \t to , to be able to open the csv on MS Excel without any further steps.

EDIT3: I'm trying to upvote your answer but the system does require >15 pts to allow it.

I really appreciate your help uys!!

menticol ( 2019-11-12 22:30:18 +0000 )edit

You don't upvote an answer that has solved your issue, you accept it by clicking the checkmark icon to the left of it.

This also helps other folks with the same issue to quickly see which answer was most helpful.

grahamb ( 2019-11-13 07:49:09 +0000 )edit

This looks really cool!

When I want to extract data from a pcap file, I would apply the specific field as a column and then File > Export Packet Dissections > As CSV.

yash.rohilla ( 2019-11-26 15:42:33 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Getting specific fields from packets

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Getting specific fields from packets edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Getting specific fields from packets