Ask Your Question
0

Tshark -Y syntax usage

asked 2020-03-03 00:43:21 +0000

menticol gravatar image

updated 2020-03-03 15:16:18 +0000

grahamb gravatar image

Hey guys! I'm using tshark as part of a batch process to examine hundreds of .pcap files.

Let me show you some examples of what I'm trying to do:

Goal: Show all packets related with the 444 event

"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\loggers\TRACES\DCCS\Pcap\20200301_00_00-DCCS-ONE.pcap" -Y "diameter.avp.code == 444" -T fields -E header=y -E "separator=~",  -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e diameter.Session-Id -e diameter.Called-Station-Id -e e212.imsi>"C:\Temp\172.27.241.107\loggers\TRACES\DCCS\Csv\20200301_00_00-DCCS-ONE.pcap.csv"

Result: Works ok!

Goal: Show me all packets if smpp.command_id == 0x00000004 and smpp.command_id==0x00000004 or smpp.command_id==0x80000004

"-Y \"(smpp.command_id==0x00000004)||(smpp.command_id==0x80000004)||(smpp.command_id==0x00000005)||(smpp.command_id==0x80000005)\" -T fields -E header=y -E \"separator=|\",  -e frame.number -e frame.time -e smpp.sequence_number -e smpp.message_id -e _ws.col.Info -e smpp.source_addr_ton -e smpp.source_addr -e tcp.srcport -e ip.src -e smpp.dest_addr_ton -e smpp.destination_addr -esmpp.sm_length -e smpp.command_status -e tcp.dstport -e ip.dst >\""

Result: Works ok!

Goal: show me all packets that have diameter.avp.code == 444 AND ALSO e212.imsi == "334110120002361"

-Y "(diameter.avp.code == 444)" -Y "(e212.imsi == "334110120002361")" - T fields -E header=y -E "separator=~",  -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e diameter.Session-Id -e diameter.Called-Station-Id -e e212.imsi

Result: FAIL it will return all packets that satisfy either one of the conditions, like an "OR" switch

Let's try with this

-Y "(diameter.avp.code == 444 && e212.imsi == "334110120002361")"

Result: FAIL Unknown command. The problem's located between the keyboard and the chair. Get out!

How can a build an AND connector for the tshark command line?

Thank you very much guys!

edit retag flag offensive close merge delete

Comments

Are getting a syntax error when using && or just no packets returned?
If no packets, have you verified that there is a packet that's meeting both criteria?
Do you have access to the Wirehark GUI to test the filter expression?

Chuckc gravatar imageChuckc ( 2020-03-03 01:07:08 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-03-03 04:02:14 +0000

Jim Young gravatar image

It appears that you are working in a Windows cmd shell. It looks to be a quoting issue.

Did you try?

-Y "diameter.avp.code == 444 && e212.imsi == \"334110120002361\""

Not having a trace file like yours to test against I couldn't prove it provides your answer, but on my Windows system this filter did not cause an error.

Also when I tested with multiple -Y entries it does not appear to "OR" the two -Y filters. Instead only the last -Y filter gets applied.

Compare:

tshark -r MYCAP -Y "frame.number<5" -Y "frame.number<10"

with:

tshark -r MYCAP -Y "frame.number<10" -Y "frame.number<5"

edit flag offensive delete link more

Comments

Almost certainly quoting the arguments is the issue. If you need double quotes in the argument then you can quote the whole parameter in single quotes, e.g.

'a single quoted thing with a "double quoted" part'
grahamb gravatar imagegrahamb ( 2020-03-03 15:18:58 +0000 )edit

Thank you very much Jim, your solution worked like a charm. Sorry for the backslashes, these were a remain from the java program that is generating the batch files.

For everyone's reference, the working query is this:

-Y "diameter.avp.code == 444 && e212.imsi == "334110120002361"" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e diameter.Session-Id -e diameter.Called-Station-Id -e e212.imsi

Before marking the thread as closed, I have a small question please. I wonder why the diameter avp code is not quoted, but e21.imsi should be quoted?

PS: Also thanks for your contribution Graham and Bubbasnmp

menticol gravatar imagementicol ( 2020-03-03 17:12:07 +0000 )edit

https://www.wireshark.org/docs/dfref/...

diameter.avp.code   AVP Code    Unsigned integer, 4 bytes



https://www.wireshark.org/docs/dfref/...

e212.imsi   IMSI                     Character string


It is a string field.

Chuckc gravatar imageChuckc ( 2020-03-03 18:20:17 +0000 )edit

@grahamb, does "double quotes within single quotes" work in Windows command-line interpreters? It's a common trick in UN*X shells, but does it also work with cmd.exe and PowerShell? (Where are the quoting rules in cmd.exe documented on docs.microsoft.com?)

Guy Harris gravatar imageGuy Harris ( 2020-03-03 18:23:46 +0000 )edit

@Guy Harris

Good catch, PowerShell does work with double quotes within single quotes (or vice-versa) but Cmd only handles single in double.

The PowerShell quoting rules are here, for those odd occasions when I have to use Cmd I usually pick an external site, e.g. here.

grahamb gravatar imagegrahamb ( 2020-03-03 19:37:04 +0000 )edit
0

answered 2020-03-13 19:50:46 +0000

menticol gravatar image

updated 2020-03-14 14:02:44 +0000

grahamb gravatar image

To expand the answer a little more and for future reference, I leave you with the working examples I made using your suggestions:

"C:\Program Files\Wireshark\tshark"
-r "C:\Temp\172.27.242.215\Pcap\20191101_00_15-MIRR-BKP.pcap"
-Y "(gsm_old.localValue==46)&&(e164.msisdn=="525588420125")||(gsm_sms.tp-da=="5588420125")||(e164.msisdn=="526682370037")||(gsm_sms.tp-da=="6682370037")"
-T fields -E header=y -E "separator=~",
-e frame.number -e frame.time -e smpp.sequence_number -e smpp.message_id -e _ws.col.Info -e tcap.tid -e tcap.otid -e e164.msisdn -e gsm_sms.tp-da -e gsm_sms.sms_text
>"C:\Temp\172.27.242.215\Csv\20191101_00_15-MIRR-BKP.pcap.csv"

The parenthesis can also be used for single parameters

"C:\Program Files\Wireshark\tshark"
-r "C:\Temp\172.27.242.215\Pcap\20191104_11_55-MIRR-BKP.pcap"
-Y "(tcap.tid=="85:64")"
-w "C:\Temp\172.27.242.215\Csv\20191104_11_55-MIRR-BKP_caso_2.pcap" -F pcap

Thank you again Jim, grahamb and bubbasnmp for you input guys, without your help my project would have failed.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-03-03 00:43:21 +0000

Seen: 1,641 times

Last updated: Mar 14 '20