Ask Your Question
0

Tshark: Get multiple ocurrences with same field value

asked 2020-04-17 23:59:56 +0000

menticol gravatar image

updated 2020-04-20 18:56:51 +0000

Hi guys!

Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.

Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.

No. | Time | Source | Destination | Protocol | Length | Info

 1  2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

2   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

3   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

Now let's expand packet number one.

Diameter Protocol
    Version: 0x01

... (tens of lines deleted to save post space) ...

AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org

... (tens of lines deleted to save post space) ...

AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
    AVP Code: 456 Multiple-Services-Credit-Control
    AVP Flags: 0x40, Mandatory: Set
    AVP Length: 104
    Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…

Now let's click the 000001be400000440000 node:

AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)

And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:

AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25

At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files

 "C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e ...
(more)
edit retag flag offensive close merge delete

Comments

Have you looked at using one of the other output formats?

   -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?
                           format of text output (def: text)

Then process as needed with a script (grep, sed, awk, cut, ....) or with a "little java program" as you mentioned.

Chuckc gravatar imageChuckc ( 2020-04-18 01:44:54 +0000 )edit

So what format do you want?

From your complaint about "a wonderful one hundred character long line" it sounds as if you want the line split. The line in question, however, isn't "93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.", it's all the values of all the fields on one line, with "~" separating the values for different fields, and with "," separating the values for a given field.

How do you want that split?

Guy Harris gravatar imageGuy Harris ( 2020-04-18 07:11:59 +0000 )edit

Thank you for your answers Bubbasnmp and Guy Harris. Tried with the output formats Bubba suggested, but even with other formats the field value is the same (btw, I didn't know tshark was capable of that formatting, awesome!). About Guy Harris comment, I'm sorry if I didn't express myself correctly, tshark is doing its job, pretty sure the problem is between the keyboard and the chair. I would like to show all of you the pcap file. Is there a way I can upload it without violating wireshark.org forum rules?

menticol gravatar imagementicol ( 2020-04-20 18:45:01 +0000 )edit

Ok I just went ahead and uploaded an external link, if this is not allowed please let me know to take it down

menticol gravatar imagementicol ( 2020-04-20 18:52:51 +0000 )edit

A link to an external external storage is fine, as long as it's publicly accessible.

Jaap gravatar imageJaap ( 2020-04-20 19:06:06 +0000 )edit

1 Answer

Sort by » oldest newest most voted
1

answered 2020-04-20 22:03:36 +0000

Chuckc gravatar image
tshark -r ./resultado_334110010009868.pcap -T json -Y "diameter.Used-Service-Unit == 00:00:01:a4:40:00:00:0c:00:00:00:78:00:00:01:a5:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9c:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9e:40:00:00:10:00:00:00:00:00:00:00:00" | grep -e diameter.CC-Time -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.Rating-Group | sed -e "/Rating-Group/s/$/\t/" | tr -d '\n' | tr '\t' '\n' | sed -e "s/ *//g" -e "s/\":\"/=/g" | sed -e "s/\"\"/ /g"

<snip>
"diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=3"
"diameter.CC-Input-Octets=348 diameter.CC-Output-Octets=0 diameter.Rating-Group=2"
"diameter.CC-Input-Octets=896 diameter.CC-Output-Octets=3552 diameter.Rating-Group=1"
"diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=25"
"diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=10"
"diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=8"
"diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=3"
"diameter.CC-Input-Octets=348 diameter.CC-Output-Octets=0 diameter.Rating-Group=2"
"diameter.CC-Input-Octets=40 diameter.CC-Output-Octets=135 diameter.Rating-Group=1"
edit flag offensive delete link more

Comments

The post processing would be better handled in a script or program that does data validation and error checking.

Chuckc gravatar imageChuckc ( 2020-04-20 22:06:27 +0000 )edit

I'm very sorry for taking so long guys. Thank you Bubbasnmp, your solution was much more elegant, but since I'm working on Windows I was not able to use grep commands. However your idea pointed me in the right direction with (you guessed it) my little java script!

I ended up making a table and copying all values over and over again (packet number, date, etc), replacing only the ones that changed.

https://www.dropbox.com/s/ykrknayyuj9...

In the cases where I did not have data to fill the space, I put a zero.

I really appreciate your time guys, stay safe

menticol gravatar imagementicol ( 2020-04-22 20:00:01 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-04-17 23:59:56 +0000

Seen: 452 times

Last updated: Apr 20 '20