Tshark: Get multiple ocurrences with same field value

asked 2020-04-17 23:59:56 +0000

menticol
9 ●4 ●10 ●9

updated 2020-04-20 18:56:51 +0000

Hi guys!

Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.

Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.

 1  2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

2   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

3   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

Now let's expand packet number one.

Diameter Protocol
    Version: 0x01

... (tens of lines deleted to save post space) ...

AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org

... (tens of lines deleted to save post space) ...

AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
    AVP Code: 456 Multiple-Services-Credit-Control
    AVP Flags: 0x40, Mandatory: Set
    AVP Length: 104
    Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…

Now let's click the 000001be400000440000 node:

AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)

And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:

AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25

At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files

 "C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e ...

(more)

edit retag flag offensive close merge delete

Comments

Have you looked at using one of the other output formats?

   -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?
                           format of text output (def: text)

Then process as needed with a script (grep, sed, awk, cut, ....) or with a "little java program" as you mentioned.

Chuckc ( 2020-04-18 01:44:54 +0000 )edit

So what format do you want?

From your complaint about "a wonderful one hundred character long line" it sounds as if you want the line split. The line in question, however, isn't "93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.", it's all the values of all the fields on one line, with "~" separating the values for different fields, and with "," separating the values for a given field.

How do you want that split?

Guy Harris ( 2020-04-18 07:11:59 +0000 )edit

Thank you for your answers Bubbasnmp and Guy Harris. Tried with the output formats Bubba suggested, but even with other formats the field value is the same (btw, I didn't know tshark was capable of that formatting, awesome!). About Guy Harris comment, I'm sorry if I didn't express myself correctly, tshark is doing its job, pretty sure the problem is between the keyboard and the chair. I would like to show all of you the pcap file. Is there a way I can upload it without violating wireshark.org forum rules?

menticol ( 2020-04-20 18:45:01 +0000 )edit

Ok I just went ahead and uploaded an external link, if this is not allowed please let me know to take it down

menticol ( 2020-04-20 18:52:51 +0000 )edit

A link to an external external storage is fine, as long as it's publicly accessible.

Jaap ( 2020-04-20 19:06:06 +0000 )edit

see more comments

answered 2020-04-20 22:03:36 +0000

Chuckc
2808 ●5 ●566 ●19

tshark -r ./resultado_334110010009868.pcap -T json -Y "diameter.Used-Service-Unit == 00:00:01:a4:40:00:00:0c:00:00:00:78:00:00:01:a5:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9c:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9e:40:00:00:10:00:00:00:00:00:00:00:00" | grep -e diameter.CC-Time -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.Rating-Group | sed -e "/Rating-Group/s/$/\t/" | tr -d '\n' | tr '\t' '\n' | sed -e "s/ *//g" -e "s/\":\"/=/g" | sed -e "s/\"\"/ /g"

<snip>
"diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=3"
"diameter.CC-Input-Octets=348 diameter.CC-Output-Octets=0 diameter.Rating-Group=2"
"diameter.CC-Input-Octets=896 diameter.CC-Output-Octets=3552 diameter.Rating-Group=1"
"diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=25"
"diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=10"
"diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=8"
"diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=3"
"diameter.CC-Input-Octets=348 diameter.CC-Output-Octets=0 diameter.Rating-Group=2"
"diameter.CC-Input-Octets=40 diameter.CC-Output-Octets=135 diameter.Rating-Group=1"

edit flag offensive delete link

Comments

The post processing would be better handled in a script or program that does data validation and error checking.

Chuckc ( 2020-04-20 22:06:27 +0000 )edit

I'm very sorry for taking so long guys. Thank you Bubbasnmp, your solution was much more elegant, but since I'm working on Windows I was not able to use grep commands. However your idea pointed me in the right direction with (you guessed it) my little java script!

I ended up making a table and copying all values over and over again (packet number, date, etc), replacing only the ones that changed.

https://www.dropbox.com/s/ykrknayyuj9...

In the cases where I did not have data to fill the space, I put a zero.

I really appreciate your time guys, stay safe

menticol ( 2020-04-22 20:00:01 +0000 )edit

add a comment

Tshark: Get multiple ocurrences with same field value

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Tshark: Get multiple ocurrences with same field value edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Tshark: Get multiple ocurrences with same field value