How to decode ipfix315 payload using Tshark

asked 2018-03-26 08:26:27 +0000

anonymous user

Anonymous

updated 2018-03-27 19:44:16 +0000

I am trying to decode ipfix315 payload , i tried using option -d like this :

tshark -i eth1 -d udp.port==2200,cflow -V src 110.0.0.1 , but still i am able to see the Data portion for my ipfix 315 validation , is there a way to get the decoded payload , as we get in wire shark GUI.

Frame 19: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0
    Interface id: 0
    WTAP_ENCAP: 1
    Arrival Time: Mar 26, 2018 01:09:40.071456375 PDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1522051780.071456375 seconds
    [Time delta from previous captured frame: 2.000134457 seconds]
    [Time delta from previous displayed frame: 2.000134457 seconds]
    [Time since reference or first frame: 14.001339583 seconds]
    Frame Number: 19
    Frame Length: 78 bytes (624 bits)
    Capture Length: 78 bytes (624 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:data]
Ethernet II, Src: Cisco_96:ec:c0 (c4:71:fe:96:ec:c0), Dst: Vmware_27:12:30 (00:0c:29:27:12:30)
    Destination: Vmware_27:12:30 (00:0c:29:27:12:30)
        Address: Vmware_27:12:30 (00:0c:29:27:12:30)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Cisco_96:ec:c0 (c4:71:fe:96:ec:c0)
        Address: Cisco_96:ec:c0 (c4:71:fe:96:ec:c0)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 110.0.0.1 (110.0.0.1), Dst: 1.70.29.16 (1.70.29.16)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x1c (DSCP 0x07: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0001 11.. = Differentiated Services Codepoint: Unknown (0x07)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 64
    Identification: 0x17a0 (6048)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 254
    Protocol: UDP (17)
    Header checksum: 0x189a [correct]
        [Good: True]
        [Bad: False]
    Source: 110.0.0.1 (110.0.0.1)
    Destination: 1.70.29.16 (1.70.29.16)
User Datagram Protocol, Src Port: 48117 (48117), Dst Port: ici (2200)
    Source port: 48117 (48117)
    Destination port: ici (2200)
    Length: 44
    Checksum: 0x0000 (none)
        [Good Checksum: False]
        [Bad Checksum: False]
Data (36 bytes)

0000  00 0a 00 24 5a b8 48 88 00 00 17 a0 00 00 00 00   ...$Z.H.........
0010  00 02 00 14 01 4f 00 03 00 0a 00 04 00 0e 00 04   .....O..........
0020  01 3b ff ff                                       .;..
    Data: 000a00245ab84888000017a00000000000020014014f0003...
    [Length: 36]
edit retag flag offensive close merge delete

Comments

Typo? You're running tshark with -d udp.port==2000,cflow. The dump shows UDP port 2200.

Uli gravatar imageUli ( 2018-03-26 09:47:56 +0000 )edit

its a typo , it should be 2200

shankar gravatar imageshankar ( 2018-03-27 19:41:48 +0000 )edit