Flatten a .PCAP file to text (see question for better explanation)
Hi guys
I have a PCAP file (uploaded it here since I don't have enough Karma points) containing multiple frames with the following protocols: null:ip:tcp:diameter. I would like to flatten it to text.
Actual solution:
After setting my Wireshark to decode DIAMETER packages and converting the .PCAP file to .JSON, I run a small C# program that parses the JSON to multiple C# "Frame" text objects.
Example for one "frame" object:
- frame.number: 37
- frame.encap_type: 15
- frame.time: May 25, 2023 15:34:13.906377104 Hora estándar central (México)
- frame.offset_shift: 0.000000000
- frame.time_epoch: 1685050453.906377104
- frame.time_delta: 0.045249555
- frame.time_delta_displayed: 0.045249555
- frame.time_relative: 685.737007346
- frame.len: 1304
- frame.cap_len: 1304
- frame.marked: 0
- frame.ignored: 0
- frame.protocols: null:ip:tcp:diameter
- frame.coloring_rule.name: TCP
- frame.coloring_rule.string: tcp
- diameter.version: 0x01
- diameter.length: 1248
- diameter.flags: 0xc0
- diameter.cmd.code: 272
- diameter.applicationId: 4
- diameter.hopbyhopid: 0x18027893
- diameter.endtoendid: 0x18553069
- diameter.answer_in: 38
- diameter.CC-Total-Octets: ESTE FRAME NO TRAE ESTE CAMPO
- diameter.CC-Input-Octets: 40
- diameter.CC-Output-Octets: 75
- diameter.Result-Code: ESTE FRAME NO TRAE ESTE CAMPO
- diameter.3GPP-Reporting-Reason: 2
- diameter.CC-Time: ESTE FRAME NO TRAE ESTE CAMPO
- diameter.Rating-Group: 1
Another example
- frame.number: 39
- frame.encap_type: 15
- frame.time: May 25, 2023 16:11:37.618922277 Hora estándar central (México)
- frame.offset_shift: 0.000000000
- frame.time_epoch: 1685052697.618922277
- frame.time_delta: 2243.658997427
- frame.time_delta_displayed: 2243.658997427
- frame.time_relative: 2929.449552519
- frame.len: 1364
- frame.cap_len: 1364
- frame.marked: 0
- frame.ignored: 0
- frame.protocols: null:ip:tcp:diameter
- frame.coloring_rule.name: TCP
- frame.coloring_rule.string: tcp
- diameter.version: 0x01
- diameter.length: 1308
- diameter.flags: 0xc0
- diameter.cmd.code: 272
- diameter.applicationId: 4
- diameter.hopbyhopid: 0x1802db34
- diameter.endtoendid: 0x18199300
- diameter.answer_in: 40
- diameter.CC-Total-Octets: 5831
- diameter.CC-Input-Octets: 1361
- diameter.CC-Output-Octets: 4470
- diameter.Result-Code: ESTE FRAME NO TRAE ESTE CAMPO
- diameter.3GPP-Reporting-Reason: HAY VARIOS VALORES EN EL FRAME, SON LOS SIGUIENTES: "3", "5",
- diameter.CC-Time: 164
- diameter.Rating-Group: 44
Multiply this for n frames...
Having these objects is very useful because we can extract only specific required values, raise alarms if a specific value is found, etc.
The problem:
The actual scenario works, but converting a big PCAP to a HUGE. JSON file is slow, cumbersome, and not immune to parsing errors. Maybe I'm reinventing the wheel here. Is there a simpler, faster way to accomplish what I'm doing?
PS: If Wireshark doesn't provide a solution and you need my C# program for any reason, I can share it with pleasure. PS: Already tried some C# libraries to parse .PCAP files, but these don't recognize DIAMETER packages
Why not extract only the fields you care about with
tshark?https://www.youtube.com/@WireSharkFes...
Very good question Chuckc, the problem is that the list of required fields is too long for passing them as console arguments
What about a
tsharkprofile that includes the desired fields as columns?