Ask Your Question
0

Getting specific fields from packets

asked 2019-11-12 19:59:28 +0000

menticol gravatar image

updated 2019-11-12 20:48:50 +0000

Guy Harris gravatar image

Hey guys!

I currently have a huge .pcap file that shows the following information after applying the filter gtp.message == 0x10

  • 197 1.748402 201.144.195.25 201.157.107.1 GTP 216 Create PDP context request
  • 771 6.475531 201.144.195.86 201.157.107.1 GTP 216 Create PDP context request
  • 809 6.640840 201.134.179.88 201.157.107.1 GTP 224 Create PDP context request
  • 177 14.61336 201.144.195.86 201.157.107.1 GTP 216 Create PDP context request
  • 212 17.48780 201.134.179.86 201.157.107.1 GTP 221 Create PDP context request

...plus hundreds and hundreds more.

When you check inside each packet, there's are some values I'm looking for:

  • e212.imsi
  • e164.msisdn
  • gtp.lac
  • gtp.sai_sac

I need to extract these values for each "Create PDP context request" packet displayed. The problem is, doing it manually is extremely time-consuming and my right-hand hurts at this point (NSFW not intended).

Is there a way on which I could make a batch script or filter to recursively extract the e212.imsi and other fields found inside each "Create PDP context request" packet?

Thank you very much!

PS: Sorry for the absence of screenshots, the platform doesn't allow me to use them yet.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2019-11-12 20:12:01 +0000

cmaynard gravatar image

updated 2019-11-13 00:13:53 +0000

I would recommend using tshark for this purpose. For example:

tshark -r huge.pcap -Y "gtp.message == 0x10" -T fields -E header=y -E separator=, -E quote=d -e frame.number -e e212.imsi -e e164.msisdn -e gtp.lac -e gtp.sai_sac > huge.csv

Add as many fields as you need using -e.

EDIT I changed the separator from a tab to a comma, which is what I originally intended for a .csv file.

edit flag offensive delete link more

Comments

Note that depending on the shell used you may have to quote some of the arguments, e.g. -E "header=y"

grahamb gravatar imagegrahamb ( 2019-11-12 21:14:23 +0000 )edit

Thank you very much Cmaynard and Grahamb by your answers!

I'm trying the commands now, following this syntaxis:

C:\Program Files\Wireshark>tshark -r "C:\Capturas\20191111_14_45-MIRR-BKP.pcap" -Y "gtp.message == 0x10" -T fields -E "header=y" -E "separator=," -E "quote=d" -e "frame.number" -e "e212.imsi" -e "e164.msisdn" -e "gtp.lac" -e "gtp.sai_sac" > "C:\Capturas\huge.csv"

EDIT1: I was having trouble with a message error "tshark: The file [filename] appears to have been cut short in the middle of a packet." but realized it does not interfere with the command inner workings.

EDIT 2: I only changed the separator from \t to , to be able to open the csv on MS Excel without any further steps.

EDIT3: I'm trying to upvote your answer but the system does require >15 pts to allow it.

I really appreciate your help uys!!

menticol gravatar imagementicol ( 2019-11-12 22:30:18 +0000 )edit

You don't upvote an answer that has solved your issue, you accept it by clicking the checkmark icon to the left of it.

This also helps other folks with the same issue to quickly see which answer was most helpful.

grahamb gravatar imagegrahamb ( 2019-11-13 07:49:09 +0000 )edit

This looks really cool!

When I want to extract data from a pcap file, I would apply the specific field as a column and then File > Export Packet Dissections > As CSV.

yash.rohilla gravatar imageyash.rohilla ( 2019-11-26 15:42:33 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-11-12 19:59:28 +0000

Seen: 1,444 times

Last updated: Nov 13 '19