Ask Your Question
0

Different output between tshark and wireshark

asked 2022-11-15 20:50:57 +0000

Alessandro gravatar image

updated 2022-11-16 09:21:22 +0000

Hi, I was trying to match some diameter dialogues and I realized that tshark does not decode some packets while wireshark it does.

This is the file https://www.dropbox.com/s/msrsr9uwukd...

I tried either with -2 or without

tshark -V -2 -r 333b.pcapng

No Diameter is found.

Whireshark Version 4.0.1 (v4.0.1-0-ge9f3970b1527).

Check screenshot of decoded file:

https://www.dropbox.com/s/b8yeit4pz6l...

The wireshark configuration for Diameter protocol is:

Reassemble Diameter messages spanning multiple TCP segments -> flagged

TCP ports : 3000-3867,3869-3999

SCTP port(s) : 3868

edit retag flag offensive close merge delete

Comments

Put it on a public fileshare (Dropbox, Google, Onedrive, ...) and update the description with a link to it.

Chuckc gravatar imageChuckc ( 2022-11-15 21:24:23 +0000 )edit

Please provide the tshark command you are using. Specifically, I'm wondering if you are you including the -2 option or not. Also, please also provide the version information from tshark -v.

cmaynard gravatar imagecmaynard ( 2022-11-15 22:37:03 +0000 )edit

No Diameter is found.

No Diameter is found when I open it in

Wireshark 4.0.1 (v4.0.1-0-ge9f3970b1527).

Copyright 1998-2022 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using Clang 11.0.0 (clang-1100.0.33.16), with GLib 2.68.4,
with PCRE2, with zlib 1.2.11, with Qt 6.2.4, with libpcap, without POSIX
capabilities, with Lua 5.2.4, with GnuTLS 3.6.15 and PKCS #11 support, with
Gcrypt 1.8.7, with Kerberos (MIT), with MaxMind, with nghttp2 1.46.0, with
brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.9, with libsmi
0.4.8, with ...
(more)
Guy Harris gravatar imageGuy Harris ( 2022-11-16 08:14:06 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
1

answered 2022-11-16 14:11:20 +0000

Chuckc gravatar image

updated 2022-11-16 14:11:56 +0000

Are you using the sameDefault profile in Wireshark?
Make a custom profile and uncheck Analyze TCP sequence numbers in the TCP Preferences.
Then specify that profile on the tshark command line with the -C option.

Downloads$ tshark -r ./333b.pcapng -C Ask_Diameter
    1   0.000000     10.9.9.9 → 10.10.10.10  TCP 2868 3868 → 33422 [ACK] Seq=2217234530 Ack=773019158 Win=32586 Len=2800 TSval=665039809 TSecr=2437547668 [TCP segment of a reassembled PDU]
    2   0.000034     10.9.9.9 → 10.10.10.10  TCP 2868 3868 → 33422 [ACK] Seq=2217238730 Ack=773019158 Win=32586 Len=2800 TSval=665039809 TSecr=2437547668 [TCP segment of a reassembled PDU]
    3   0.000044     10.9.9.9 → 10.10.10.10  TCP 892 3868 → 33422 [PSH, ACK] Seq=2217241530 Ack=773019158 Win=32586 Len=824 TSval=665039809 TSecr=2437547668 [TCP segment of a reassembled PDU]
    4   0.000028     10.9.9.9 → 10.10.10.10  DIAMETER/XML 1468 cmd=User-Data Answer(306) flags=-P-- appl=3GPP Sh(16777217) h2h=13b8ff6 e2e=3831ef6 |

Downloads$ tshark -r ./333b.pcapng
    1   0.000000 3868     10.9.9.9 33422 10.10.10.10  TCP 2868 10.9.9.9,10.10.10.10  3868 → 33422 [ACK] Seq=1 Ack=1 Win=32586 Len=2800 TSval=665039809 TSecr=2437547668 [TCP segment of a reassembled PDU]
    2   0.000034 3868     10.9.9.9 33422 10.10.10.10  TCP 2868 10.9.9.9,10.10.10.10  [TCP Previous segment not captured] 3868 → 33422 [ACK] Seq=4201 Ack=1 Win=32586 Len=2800 TSval=665039809 TSecr=2437547668 [TCP segment of a reassembled PDU]
    3   0.000044 3868     10.9.9.9 33422 10.10.10.10  TCP 892 10.9.9.9,10.10.10.10  3868 → 33422 [PSH, ACK] Seq=7001 Ack=1 Win=32586 Len=824 TSval=665039809 TSecr=2437547668 [TCP segment of a reassembled PDU]
    4   0.000028 3868     10.9.9.9 33422 10.10.10.10  TCP 1468 10.9.9.9,10.10.10.10  [TCP Retransmission] 3868 → 33422 [ACK] Seq=2801 Ack=1 Win=32586 Len=1400 TSval=665039809 TSecr=2437547668

Downloads$ tshark -v | head -1
TShark (Wireshark) 4.0.1 (v4.0.1-0-ge9f3970b1527).
edit flag offensive delete link more

Comments

Thanks !!!!! Specifying the profile fixed the problem :-)

Alessandro gravatar imageAlessandro ( 2022-11-16 14:15:56 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-11-15 20:50:57 +0000

Seen: 231 times

Last updated: Nov 16 '22