Ask Your Question
-1

How to convert .pcap to text format for twamp without using tshark

asked 2018-08-13 12:10:52 +0000

meena gravatar image

updated 2018-08-14 09:34:59 +0000

grahamb gravatar image

If there is a way to display in key value pair , it's better. Tshark commands are of no use for twamp protocol. Tshark needs information about the way to decode for twamp protocol

edit retag flag offensive close merge delete

Comments

Are you asking for a dissector for twamp protocol, or are there issues with twamp dissection?

Assuming twamp refers to Two-Way Active Measurement Protocol, then a dissector has been built in to Wireshark since version 2.6, so make sure you're using that version, or newer.

If your issue is with dissection of twamp can you share a capture file that illustrates the issue?

grahamb gravatar imagegrahamb ( 2018-08-13 12:34:21 +0000 )edit

Yes twamp is exactly that. In the capture file, need to verify dscp value (that's why want in a key value pair display) . In the text format that I have got using tshark , doesn't parse such information.

meena gravatar imagemeena ( 2018-08-13 17:09:26 +0000 )edit

So can you share a capture file so that we can help you get the tshark output you want, probably using -T fields -e xxx?

dscp doesn't seem to be a twamp field, so are you referring to the IP DSCP field?

grahamb gravatar imagegrahamb ( 2018-08-13 17:36:32 +0000 )edit

Text from capture:

Frame 7: 
    Source Port: 62862
    Destination Port: 862
    [Stream index: 0]
     ...
TwoWay Active Measurement Control Protocol
    Control Command: Request-TW-Session (5)
    IP Version: 4
    .....
    Timeout: -2085978496.000000000 seconds
    Type-P Descriptor: 0x2e000000 (DSCP: 771751936)

this is the captured file. have to verify Type-P Descriptor: 0x2e000000. So is there a command to display in key value pair on CLI this .pcap file

meena gravatar imagemeena ( 2018-08-13 18:04:04 +0000 )edit
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-05-11 13:20:14 +0000

sajax gravatar image

Found following way to decode it in Wireshark itself without need of command line:

  1. Load the pcap file in Wireshark GUI
  2. Select the "Data Bytes" post "UDP Payload" of any TWAMP Test Frame
  3. Right Click and select "Decode As".
  4. Then add row(s) and mapping the UDP Source and/or Destination port used in Test Frame to "TWAMP.Test"

Using this method it started decoding the TWAMP Frames.

Wireshark version is use is 3.0.7.

PS: Do also ensure that you have enabled TWAMP-Test and TWAMP-Control protocol options from Menu-> "Analyze->Enabled Protocols"

Thanks and Regards Sajax

edit flag offensive delete link more
add a comment
0

answered 2018-08-14 09:33:09 +0000

grahamb gravatar image

Try using:

tshark -r your.pcap -T fields -e frame.number -e twamp.control.type-p
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-08-13 12:10:52 +0000

Seen: 979 times

Last updated: May 11 '20

Related questions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2