HL7 messages

asked 2023-11-14 12:48:36 +0000

VDP gravatar image

updated 2023-11-15 08:32:05 +0000


I'm trying to capture an HL7 message and validate it.

I'm running the following:

# tshark -i eth0 -l -Y hl7 -T ek -e hl7.field

I'm getting data such as:

{"timestamp":"1699963629656","layers":{"hl7_field":["MSH","^~\\&","111","XXX","11","XXX","1223345","ADT^A31^ADT_A05","3434634","P","2.7","AL","NE","UNICODE UTF-8","EVN","A31","1223345","HL7_sip^^^^^^^^^^^^^^^","PID","1","346643^^^041^PI~457647657^^^001~3464564565^^^041~07/34564574676-91^^^015","MY^NAME^NAME","&&NAME","567567676345","F","&AV/ STREET^^7046^7^5464565^724^^14","^^PH^^^^123456789~^^CP^^^^123456789","SOME PLACE","N","00000000000000","PV1","N"]}}

I am unable to validate the HL7 data with online validation tools.

I take it I need to use the | separator for each field value.

How can I make sure the captured HL7 message data is "correct"?


edit retag flag offensive close merge delete


I think you will find that it is better to put it in a PCAP file and use wireshark itself to see what it looks like. But it seems you need to translate "," to | in order to get somethin more familiar to your parser.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2023-11-14 13:23:42 +0000 )edit

I translated "," to |, but it does not validate. It seems I'm missing fields. I need to parse/validate on stdout and in real-time. I cannot use a pcap file or wireshark.

VDP gravatar imageVDP ( 2023-11-14 13:42:42 +0000 )edit

By using the -T ek option you choose the JSON format as output format and the "hl7_field" contains an array of fields. So the output is not the same as what is actually captured.

Have you tried -T fields -e hl7.field?

I suggest to write to file using -w /tmp/myfile.pcap, download it and open it Wireshark to work out what is actually captured. Then use tshark -r myfile.pcap ... , to figure what output would do the job.

André gravatar imageAndré ( 2023-11-15 11:14:21 +0000 )edit

Yes, I also tried with -T fields, and it's basically the same data except I have have to replace , with |. I get something like:


I will try to dump to pcap then. Thanks

VDP gravatar imageVDP ( 2023-11-15 11:27:31 +0000 )edit

I have have to replace , with |

Then use: -T fields -e hl7.field -E 'aggregator=|' (see tshark man page)

Do the 'online validation tools' require the non-printable characters as well?
To output a hexdump try: -T fields -e tcp.payload -Y hl7, that shows in my case that it starts with a hex 0b (vertical tab) and ends with 0d 1c 0d (CR FS CR).

André gravatar imageAndré ( 2023-11-15 14:32:24 +0000 )edit