Ask Your Question

tshark not showing diameter data

asked 2018-07-19 09:18:35 +0000

Ahmad12345 gravatar image

When I use wireshark program I can see all data related to diameter (AVP: Multiple-Services-Credit-Control, AVP: Service-Information, ... ), but when using tshark command I get only (Data (708 Bytes) and some HEX values).

Command I use when Capturing : sudo tcpdump -i eno1 host x.x.x.x -s0 -w test.pcap Command I use when displaying file(test.pcap):tshark - r test.pcap -q -V

Please send me the right configuration to get all diameter data readable not in HEX

edit retag flag offensive close merge delete


You say the display in Wireshark is different, are you viewing the same capture file on the same machine as when using tshark?

grahamb gravatar imagegrahamb ( 2018-07-19 09:21:14 +0000 )edit

I used wireshark program on windows to open (test.pcap) file and all field for diameter are shown, but when I use tshark command for the same file (test.pcap) on ubuntu server I get same results except for diameter field I (data size and Hex values for data).

Ahmad12345 gravatar imageAhmad12345 ( 2018-07-19 09:42:33 +0000 )edit

As you're running on different OS's you'll be using different profiles and probably different versions.

What's the Windows Wireshark version and Ubuntu tshark version?

What happens if you use tshark from a command prompt on Windows?

grahamb gravatar imagegrahamb ( 2018-07-19 10:01:04 +0000 )edit

My wireshark version on windows (Version 2.2.5 (v2.2.5-0-g440fd4d)). On Ubuntu tshark (Wireshark) (Git v2.4.5 package as 2.4.5-1).


Ahmad12345 gravatar imageAhmad12345 ( 2018-07-19 10:25:55 +0000 )edit

You could try installing 2.4.5 on Windows so we're at least comparing apples with apples. Note that that isn't the current stable version, that is 2.6.2 which was just released yesterday.

grahamb gravatar imagegrahamb ( 2018-07-19 10:37:14 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2018-07-19 10:59:59 +0000

grahamb gravatar image

Your last comment has given the game away. You'll need to supply "Decode As" info to tshark, try something like:

tshark -r test.pcap -d tcp.port==40201,diameter.3gpp -q -V

Adjusting as required for your diameter type (use tshark -d . to see what's supported in your version) and protocol it's running over (might be SCTP). This is presuming that tshark 2.4.5 has the -d parameter.

edit flag offensive delete link more


It worked, Thanks very much. But I have to use -d tcp.port==40201,diameter without(.3gpp).

Ahmad12345 gravatar imageAhmad12345 ( 2018-07-19 11:09:04 +0000 )edit

If an answer has solved your issue please accept it, for the benefit of others who might have the same issue, by clicking the "checkmark" icon next to the answer.

grahamb gravatar imagegrahamb ( 2018-07-19 11:46:19 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-07-19 09:18:35 +0000

Seen: 29 times

Last updated: Jul 19