Definition of dissector_rfc
Hi everyone, I'm using tshark to decode AVP of a Diameter file by a command:
tshark -r Diameter.pcap -T fields -e "diameter.Subscription-Id" >/dev/null 2>&1
"diameter.Subscription-Id" just to make sure that tshark go through the dissector of AVP and I can get values of all AVPs. The size of file is about 800 MB, so it takes time with output printed on screen and run at 100% CPU. So I change the command:
tshark -r Diameter.pcap >/dev/null 2>&1
In this way, it 's faster but tshark doesn't go through some AVPs. I tried to read the source code and found the differrence of two commands:
dissect_diameter_avp(...)
{
....
avp_str = a->dissector_rfc(c,a,subtvb, diam_sub_dis_inf);
....
}
Tshark goes to dissector_rfc in both of cases but in the first command, avp_str has value while it is NULL in the second command. I tried to find how dissector_rfc works but found nothing in source code. So please help if you have an experience on the source code:
- How can I find the definition of dissector_rfc in the source code? In this way, I can change the code make avp_str is not NULL with the second command.
- Is it able to force tshark to go to AVP without printing output (to make it faster)?
There are several places in packet-diameter.c where
a->dissector_rfcis assigned a value.Have you looked at the AVP statistics
tshark(man page) can provide with-z diameter,avp[,cmd.code,field,field,…]?Thank Chuckc for your advice. I tried
AVP statisticsbut it's very slow. The input ofdissector_rfcare (c,a,subtvb, diam_sub_dis_inf) but I don't know how it works so cannot change these values. Do you know wheredissector_rfcdefined?packet-diameter.c#L1826:
if (code<256) { a->dissector_rfc = address_radius_avp; } else { a->dissector_rfc = address_rfc_avp; }It's also set in
build_proto_avp(),build_simple_avp()andbuild_appid_avp().Thank Chuck about your suggestion. I tried but got the same results in both cases