Ask Your Question
0

Export CBSP, SABP and SBcAP packets

asked 2021-09-21 18:18:56 +0000

breizh_picsou gravatar image

Hi,

I have a PCAP file with packets using CBSP, SABP and SBcAP protocols I´d like to export these packets to readable text file with the content and all atributes to be able to read this information in a application. I´ll developp the application

How to do this ? I saw it's possible to use WireShark in command line

A PCAP file is available here : https://wetransfer.com/downloads/b530...

Thank you for your help

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2021-09-21 20:18:25 +0000

André gravatar image

updated 2021-09-21 20:25:23 +0000

You can use tshark to do this. For example:

tshark -r test.pcap -Y 'cbsp or sabp or sbcap' -O cbsp,sabp,sbcap -T json

Options: -r to read the file, -Y for display filter, -O output only listed protocol, -T (optional) select output format.
See documentation at: https://www.wireshark.org/docs/man-pa...

You can redirect the output to a file or run tshark as a sub-process in your application and process its output directly.

edit flag offensive delete link more

Comments

Thank you Andre for your answer. After few tests, pdml format is easier to manage in my application but I have few issues : With these 2 options together

-Y 'cbsp or sabp or sbcap' -O cbsp,sabp,sbcap,

I have an error saying the format is indicated twice. I kept only "-O cbsp,sabp,sbcap" but the filter is not working so I have very big pdml files. If I keep only -Y 'cbsp or sabp or sbcap', the generated PDML file is empty.

How to solve it ?

breizh_picsou gravatar imagebreizh_picsou ( 2021-09-22 13:18:58 +0000 )edit

I think you are using the command prompt on Windows. In that case use double-quotes for strings:

tshark -r test.pcap -Y "cbsp or sabp or sbcap" -O cbsp,sabp,sbcap -T pdml

The Windows command prompt treats a single quote as a regular character, so the next "or" is read by tshark as an additional command-line argument instead of part of the display filter. Single quotes can be used in PowerShell and on Mac/Linux (bash).

By the way: for testing it may be handy to limit te output of tshark by using the -c option. For example adding -c 1000 means "stop reading after 1000 packets" or replace -Y by -c10 -2R to output only the first 10 packets that match the filter.

André gravatar imageAndré ( 2021-09-22 18:06:58 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2021-09-21 18:18:56 +0000

Seen: 36 times

Last updated: Sep 21