Tshark: Get multiple ocurrences with same field value
Hi guys!
Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.
Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.
No. | Time | Source | Destination | Protocol | Length | Info
1 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
2 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
3 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
Now let's expand packet number one.
Diameter Protocol
Version: 0x01
... (tens of lines deleted to save post space) ...
AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
... (tens of lines deleted to save post space) ...
AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP Code: 456 Multiple-Services-Credit-Control
AVP Flags: 0x40, Mandatory: Set
AVP Length: 104
Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…
Now let's click the 000001be400000440000 node:
AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)
And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:
AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25
At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files
"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e ...
Have you looked at using one of the other output formats?
Then process as needed with a script (grep, sed, awk, cut, ....) or with a "little java program" as you mentioned.
So what format do you want?
From your complaint about "a wonderful one hundred character long line" it sounds as if you want the line split. The line in question, however, isn't "93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.", it's all the values of all the fields on one line, with "~" separating the values for different fields, and with "," separating the values for a given field.
How do you want that split?
Thank you for your answers Bubbasnmp and Guy Harris. Tried with the output formats Bubba suggested, but even with other formats the field value is the same (btw, I didn't know tshark was capable of that formatting, awesome!). About Guy Harris comment, I'm sorry if I didn't express myself correctly, tshark is doing its job, pretty sure the problem is between the keyboard and the chair. I would like to show all of you the pcap file. Is there a way I can upload it without violating wireshark.org forum rules?
Ok I just went ahead and uploaded an external link, if this is not allowed please let me know to take it down
A link to an external external storage is fine, as long as it's publicly accessible.