Flatten a .PCAP file to text (see question for better explanation)

asked Jun 1 '3

menticol gravatar image

Hi guys

I have a PCAP file (uploaded it here since I don't have enough Karma points) containing multiple frames with the following protocols: null:ip:tcp:diameter. I would like to flatten it to text.

Actual solution:

After setting my Wireshark to decode DIAMETER packages and converting the .PCAP file to .JSON, I run a small C# program that parses the JSON to multiple C# "Frame" text objects.

Example for one "frame" object:


  • frame.number: 37
  • frame.encap_type: 15
  • frame.time: May 25, 2023 15:34:13.906377104 Hora estándar central (México)
  • frame.offset_shift: 0.000000000
  • frame.time_epoch: 1685050453.906377104
  • frame.time_delta: 0.045249555
  • frame.time_delta_displayed: 0.045249555
  • frame.time_relative: 685.737007346
  • frame.len: 1304
  • frame.cap_len: 1304
  • frame.marked: 0
  • frame.ignored: 0
  • frame.protocols: null:ip:tcp:diameter
  • frame.coloring_rule.name: TCP
  • frame.coloring_rule.string: tcp
  • diameter.version: 0x01
  • diameter.length: 1248
  • diameter.flags: 0xc0
  • diameter.cmd.code: 272
  • diameter.applicationId: 4
  • diameter.hopbyhopid: 0x18027893
  • diameter.endtoendid: 0x18553069
  • diameter.answer_in: 38
  • diameter.CC-Total-Octets: ESTE FRAME NO TRAE ESTE CAMPO
  • diameter.CC-Input-Octets: 40
  • diameter.CC-Output-Octets: 75
  • diameter.Result-Code: ESTE FRAME NO TRAE ESTE CAMPO
  • diameter.3GPP-Reporting-Reason: 2
  • diameter.CC-Time: ESTE FRAME NO TRAE ESTE CAMPO
  • diameter.Rating-Group: 1

Another example


  • frame.number: 39
  • frame.encap_type: 15
  • frame.time: May 25, 2023 16:11:37.618922277 Hora estándar central (México)
  • frame.offset_shift: 0.000000000
  • frame.time_epoch: 1685052697.618922277
  • frame.time_delta: 2243.658997427
  • frame.time_delta_displayed: 2243.658997427
  • frame.time_relative: 2929.449552519
  • frame.len: 1364
  • frame.cap_len: 1364
  • frame.marked: 0
  • frame.ignored: 0
  • frame.protocols: null:ip:tcp:diameter
  • frame.coloring_rule.name: TCP
  • frame.coloring_rule.string: tcp
  • diameter.version: 0x01
  • diameter.length: 1308
  • diameter.flags: 0xc0
  • diameter.cmd.code: 272
  • diameter.applicationId: 4
  • diameter.hopbyhopid: 0x1802db34
  • diameter.endtoendid: 0x18199300
  • diameter.answer_in: 40
  • diameter.CC-Total-Octets: 5831
  • diameter.CC-Input-Octets: 1361
  • diameter.CC-Output-Octets: 4470
  • diameter.Result-Code: ESTE FRAME NO TRAE ESTE CAMPO
  • diameter.3GPP-Reporting-Reason: HAY VARIOS VALORES EN EL FRAME, SON LOS SIGUIENTES: "3", "5",
  • diameter.CC-Time: 164
  • diameter.Rating-Group: 44

Multiply this for n frames...

Having these objects is very useful because we can extract only specific required values, raise alarms if a specific value is found, etc.

The problem:

The actual scenario works, but converting a big PCAP to a HUGE. JSON file is slow, cumbersome, and not immune to parsing errors. Maybe I'm reinventing the wheel here. Is there a simpler, faster way to accomplish what I'm doing?

PS: If Wireshark doesn't provide a solution and you need my C# program for any reason, I can share it with pleasure. PS: Already tried some C# libraries to parse .PCAP files, but these don't recognize DIAMETER packages

Preview: (hide)

Comments

Why not extract only the fields you care about with tshark?
https://www.youtube.com/@WireSharkFes...

Chuckc gravatar imageChuckc ( Jun 4 '3 )

Very good question Chuckc, the problem is that the list of required fields is too long for passing them as console arguments

menticol gravatar imagementicol ( Jun 6 '3 )

What about a tshark profile that includes the desired fields as columns?

Chuckc gravatar imageChuckc ( Jun 6 '3 )