How to decode ipfix315 payload using Tshark
I am trying to decode ipfix315 payload , i tried using option -d like this :
tshark -i eth1 -d udp.port==2200,cflow -V src 110.0.0.1
, but still i am able to see the Data portion for my ipfix 315 validation , is there a way to get the decoded payload , as we get in wire shark GUI.
Frame 19: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0
Interface id: 0
WTAP_ENCAP: 1
Arrival Time: Mar 26, 2018 01:09:40.071456375 PDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1522051780.071456375 seconds
[Time delta from previous captured frame: 2.000134457 seconds]
[Time delta from previous displayed frame: 2.000134457 seconds]
[Time since reference or first frame: 14.001339583 seconds]
Frame Number: 19
Frame Length: 78 bytes (624 bits)
Capture Length: 78 bytes (624 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:data]
Ethernet II, Src: Cisco_96:ec:c0 (c4:71:fe:96:ec:c0), Dst: Vmware_27:12:30 (00:0c:29:27:12:30)
Destination: Vmware_27:12:30 (00:0c:29:27:12:30)
Address: Vmware_27:12:30 (00:0c:29:27:12:30)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Cisco_96:ec:c0 (c4:71:fe:96:ec:c0)
Address: Cisco_96:ec:c0 (c4:71:fe:96:ec:c0)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 110.0.0.1 (110.0.0.1), Dst: 1.70.29.16 (1.70.29.16)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x1c (DSCP 0x07: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0001 11.. = Differentiated Services Codepoint: Unknown (0x07)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 64
Identification: 0x17a0 (6048)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 254
Protocol: UDP (17)
Header checksum: 0x189a [correct]
[Good: True]
[Bad: False]
Source: 110.0.0.1 (110.0.0.1)
Destination: 1.70.29.16 (1.70.29.16)
User Datagram Protocol, Src Port: 48117 (48117), Dst Port: ici (2200)
Source port: 48117 (48117)
Destination port: ici (2200)
Length: 44
Checksum: 0x0000 (none)
[Good Checksum: False]
[Bad Checksum: False]
Data (36 bytes)
0000 00 0a 00 24 5a b8 48 88 00 00 17 a0 00 00 00 00 ...$Z.H.........
0010 00 02 00 14 01 4f 00 03 00 0a 00 04 00 0e 00 04 .....O..........
0020 01 3b ff ff .;..
Data: 000a00245ab84888000017a00000000000020014014f0003...
[Length: 36]
Typo? You're running tshark with
-d udp.port==2000,cflow
. The dump shows UDP port 2200.its a typo , it should be 2200