HL7 messages
Hi,
I'm trying to capture an HL7 message and validate it.
I'm running the following:
# tshark -i eth0 -l -Y hl7 -T ek -e hl7.field
I'm getting data such as:
{"timestamp":"1699963629656","layers":{"hl7_field":["MSH","^~\\&","111","XXX","11","XXX","1223345","ADT^A31^ADT_A05","3434634","P","2.7","AL","NE","UNICODE UTF-8","EVN","A31","1223345","HL7_sip^^^^^^^^^^^^^^^10.0.1.9","PID","1","346643^^^041^PI~457647657^^^001~3464564565^^^041~07/34564574676-91^^^015","MY^NAME^NAME","&&NAME","567567676345","F","&AV/ STREET^^7046^7^5464565^724^^14","^^PH^^^^123456789~^^CP^^^^123456789","SOME PLACE","N","00000000000000","PV1","N"]}}
I am unable to validate the HL7 data with online validation tools.
I take it I need to use the | separator for each field value.
How can I make sure the captured HL7 message data is "correct"?
Regards
I think you will find that it is better to put it in a PCAP file and use wireshark itself to see what it looks like. But it seems you need to translate "," to | in order to get somethin more familiar to your parser.
I translated "," to |, but it does not validate. It seems I'm missing fields. I need to parse/validate on stdout and in real-time. I cannot use a pcap file or wireshark.
By using the
-T ekoption you choose the JSON format as output format and the "hl7_field" contains an array of fields. So the output is not the same as what is actually captured.Have you tried
-T fields -e hl7.field?I suggest to write to file using
-w /tmp/myfile.pcap, download it and open it Wireshark to work out what is actually captured. Then usetshark -r myfile.pcap ..., to figure what output would do the job.Yes, I also tried with -T fields, and it's basically the same data except I have have to replace , with |. I get something like:
I will try to dump to pcap then. Thanks
Then use:
-T fields -e hl7.field -E 'aggregator=|'(see tshark man page)Do the 'online validation tools' require the non-printable characters as well?
To output a hexdump try:
-T fields -e tcp.payload -Y hl7, that shows in my case that it starts with a hex 0b (vertical tab) and ends with 0d 1c 0d (CR FS CR).I've used several, but ended up with HL7 Inspector:
https://www.hl7inspector.com/ (old web version)
https://bitbucket.org/crambow/hl7insp... (new desktop version)
I don't think I need tcp.payload.
I tried several HL7 messages I've capured, but none seem to be "valid" even when using -E 'aggregator=|' (HL7 Inspector is the only one I've found that does not "complain" about the format, but it still doesn't give the results I was hoping for). Sorry if I'm new to HL7 and probably screwing things up. I'll try to anonymize a full HL7 message and paste it here for clarity:
https://pastebin.pl/view/35a33905
I'm trying to understand the HL7 structure and how to properly and meaningfully extract data from it. As a simple example, I'd like to monitor, say, cholesterol levels (sent via LIS lab results) according to patient ...(more)
On top of the field sequence issue noted above it also seems that my tshark commands output the whole HL7 message on just one line (with or without -l). However, correct me if I'm wrong, but I think MSH, OBX,etc should be on their own lines. How do I make sure tshark outputs or encodes the line feeds?
BTW, -e hl7.raw outputs blank chars on the console. What is hl7.raw for?
Looking at https://gitlab.com/wireshark/wireshar... the hl7.field field contains only the contents of a field, thus the separators are stripped off. That is why the Carriage Returns (\r) are not printed when using
-e hl7.fieldThe raw fields only work when enabled in the HL7 protocol preferences.
(
-o hl7.display_llp:TRUEto enable LLP markers.)By the way: most terminals will just overwrite the same line when \r is used, because that is what Carriage Return means...
It seems that I can now get all the segments of an HL7 message with this command:
hl7.segment is an array with all the segments (MSH, PID, OBX, etc.).
I still don't know what hl7.field does except maybe put every segment in a single string.
So I guess I'm OK with that for now. Thank you very much.
Now all I need to do is make sure tshark only outputs to stdout.
If I run the above command I get:
Why is it trying to dump to /tmp if I didn't specify -w?
(more)Like hl7.segment field contains a HL7 segment, the hl7.field contains a HL7 field. By using
-e hl7.fieldsyou tell tshark to output all fields joined together using the aggregator character, which is comma by default.Neither TShark and Wireshark do the actual capturing. Both call
dumpcapfor that. Normally you don't see that message unless you increase the log level.The "raw packet data" is the data as it is captured and how it is stored in a pcap file (-w option).
The ...(more)