# how to use tshark to divide a packet into several records?

I have encountered a problem where I used tshark to extract a packet like that:

Internet Protocol Version 4, Src: 192.168.0.33, Dst: 192.168.0.15
Transmission Control Protocol, Src Port: 179, Dst Port: 2124, Seq: 49, Ack: 265
Border Gateway Protocol - UPDATE Message
...
Path attributes
...
Path Attribute - AS_PATH: 1 2
...
Border Gateway Protocol - UPDATE Message
...
Path attributes
...
Path Attribute - AS_PATH: 1 3
...
Border Gateway Protocol - UPDATE Message
...
Path attributes
...
Path Attribute = AS_PATH: 2 4
...


when I use a command like tshark -r a.cap -e bgp.update.path_attribute.as_path_segment.as4 ..., I get a result like "1 2 1 3 2 4", which is not what I want. I am confused how to use tshark so that I can get results like "1 2","1 3","2 4" as three records?

edit retag close merge delete

I assume you use -T as well? Have you looked into -E, the field print options?

( 2019-02-13 13:47:24 +0000 )edit

Thanks a lot for your reply. I use parameter -T and don't use parameter "-E", but according to the user guide by default it will use "-E aggregator=,", which means that it results in the output like "1,2,1,3,2,4". In this case, I can't distinguish which items belongs to the same message. It may be divided into three parts like "1,2","1","3,2,4", or others. Therefore I think this parameter can't help me solve my problem. Looking forward to your reply again.

( 2019-02-14 02:13:08 +0000 )edit

Have you tried working with -E quote=... as well? Otherwise I would have to look into how the output of values you referenced are being produced (if I can find a BGP capture like this) and see what the code is.

( 2019-02-14 07:16:48 +0000 )edit

The parameter "-E quote" is used to defined the character used to surround fields, which means that when you use command like "-E quote=s" you will get a result like:

'time' '1' '1,2' ...

It doesn't work inside fields, so I don't think it can solve my problem. I try to upload a sample but unfortunately I don't have enough points to do that. Here is another sample called BGP_AS_set.cap. After you download it, you can try using tshark to extract the AS_PATH and see if you can get the right result that "30" belongs to the AS_SEQUENCE and "{10,20}" belongs to the AS_SET. Please show me your command if you make it success.

Here is my simplified code (some -e fields are ignored):

tshark -r a.cap -Y "bgp.type==2" -T fields -E quote=d

-e ip.src -e ip.dst -e ...(more)

( 2019-02-14 07:44:29 +0000 )edit

Sort by » oldest newest most voted

You assume that the AS's in a path segment are being processed as a set. But what you ask for is the 'as4', or in your later example 'as2' fields (bgp.update.path_attribute.as_path_segment.as2) . When you look at the packet in detail you'll see that each AS4, and AS2, field is added individually to the tree; each is handled individually and therefore shown as such. At that field level there is no notion of groups or sets.

One level up though is where the the grouping comes into view. The AS Path Segment item in the tree nicely shows the collection of AS's in that path segment. So it would be nice if we could use bgp.update.path_attribute.as_path_segment. Unfortunately this item is of type FT_NONE, thus has no value. It is merely a hook to append text to. If you use that as a field to output you'll only be informed of the presence of the item, by means of a 1 in the output.

What seems to be lacking here is assigning some value (a string from the looks of it) to this tree item, so that it can be used as such, producing useable output when used as a field in the output. So in short, no this is currently not possible. I'm not even sure that it is possible at all. It would be an enhancement of the BGP dissector to be looked into.

more

A quick hack shows that it may be possible after all. Needs more work though to definitively say so.

( 2019-02-14 22:54:01 +0000 )edit

I read the Wireshark developer's guide v2.9.1 and found that it did work that way you mentioned.

Maybe what I do is to modify and write my own code based on the Wireshark source code.

( 2019-02-15 00:20:11 +0000 )edit