"tshark: someipsd neither a field nor a protocol name"

asked 2022-08-30 13:34:33 +0000

tshark error gravatar image

updated 2022-08-31 02:57:13 +0000

Guy Harris gravatar image

Code:

def convert_pcap_to_csv_trace(path_to_pcap, tshark_path, output_dir_path=None):

    logger.info("***** Converting pcap trace to csv. Trace *****: {}".format(path_to_pcap))
    output_dir_path = os.path.dirname(path_to_pcap) if not output_dir_path else output_dir_path
    assert os.path.isdir(output_dir_path)
    output_file_name = Path(path_to_pcap).stem
    path_to_csv = os.path.join(output_dir_path, output_file_name) + '.csv'
    logger.info("This might take some time. You can track the progress watching the file size: {}"
                .format(path_to_csv))

    with open(path_to_csv, 'w') as csv_trace:
        cmd = [tshark_path, '-T', 'fields', '-E', 'separator=;',
               '-E', 'header=y', '-E', 'quote=d',
               '-R', '!someipsd && !icmp && someip.messageid && ((someip.serviceid != 0xffff) && '
                     '(someip.clientid != 0xdead)) && vlan.id == 0x49',
               '-e', 'frame.time_relative',
               '-e', 'ip.id',
               '-e', 'someip.messageid',
               '-e', 'someip.length',
               '-e', 'ip.src',
               '-e', 'udp.srcport',
               '-e', 'tcp.srcport',
               '-e', 'ip.dst',
               '-e', 'udp.dstport',
               '-e', 'tcp.dstport',
               '-n', '-r', path_to_pcap]

        logger.info("***** Running the following command in command line: *****")
        logger.info(cmd)

        subprocess.check_call(cmd, stdout=csv_trace)

Above function is working fine in windows 10 local machine. Same above code is not working in VDI windows 10 machine.

what went wrong in VDI (Virtual desktop infrastructure) windows 10 machine?. kindly help me here please.

edit retag flag offensive close merge delete

Comments

Can you add the output of tshark -v.

Looks like SOME/IP Service Discovery Protocol was added in 3.2.0 (Versions: 3.2.0 to 3.6.7)

Chuckc gravatar imageChuckc ( 2022-08-30 13:46:57 +0000 )edit

My first guess will be that you have no limits imposed on you on you local system but you do have severe limits imposed on you in the VDI. I recommend you get these limitations definded clearly to begin with. VDI's are not your typical workstation that you got used to.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2022-08-31 05:58:03 +0000 )edit

Output:

C:\Program Files\Wireshark>tshark -v

TShark 1.10.14 (v1.10.14-0-g825f971 from master-1.10)

Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5,
without POSIX capabilities, without libnl, with SMI 0.4.8, with c-ares 1.9.1,
with Lua 5.1, without Python, with GnuTLS 2.12.18, with Gcrypt 1.4.6, without
Kerberos, with GeoIP.

Running on 64-bit Windows 8, build 9200, without WinPcap.
Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz, with 32518MB of physical memory.

Built using Microsoft Visual C++ 10.0 build 40219

My local machine and VDI machine having same wireshark V1.10.14 only

tshark error gravatar imagetshark error ( 2022-09-01 05:52:52 +0000 )edit

On the system that is working, can you modify the function to log the value of tshark_path and output of tshark_path -v? Is it possible that the function is running tshark from a different location?

Chuckc gravatar imageChuckc ( 2022-09-01 13:56:38 +0000 )edit

Wireshark 1.10.14 is a very old version that was EOL on June 5, 2015.

Can you upgrade to a supported version?

grahamb gravatar imagegrahamb ( 2022-09-02 07:58:33 +0000 )edit
see more comments