Ask Your Question
0

how to use tshark to divide a packet into several records?

asked 2019-02-13 12:59:08 +0000

godbless2you gravatar image

updated 2019-02-15 00:25:07 +0000

I have encountered a problem where I used tshark to extract a packet like that:

Internet Protocol Version 4, Src: 192.168.0.33, Dst: 192.168.0.15
Transmission Control Protocol, Src Port: 179, Dst Port: 2124, Seq: 49, Ack: 265
Border Gateway Protocol - UPDATE Message
    ...
    Path attributes
        ...
        Path Attribute - AS_PATH: 1 2
        ...
Border Gateway Protocol - UPDATE Message
    ...
    Path attributes
        ...
        Path Attribute - AS_PATH: 1 3
        ...
Border Gateway Protocol - UPDATE Message
    ...
    Path attributes
        ...
        Path Attribute = AS_PATH: 2 4
        ...

when I use a command like tshark -r a.cap -e bgp.update.path_attribute.as_path_segment.as4 ..., I get a result like "1 2 1 3 2 4", which is not what I want. I am confused how to use tshark so that I can get results like "1 2","1 3","2 4" as three records?

edit retag flag offensive close merge delete

Comments

I assume you use -T as well? Have you looked into -E, the field print options?

Jaap gravatar imageJaap ( 2019-02-13 13:47:24 +0000 )edit

Thanks a lot for your reply. I use parameter -T and don't use parameter "-E", but according to the user guide by default it will use "-E aggregator=,", which means that it results in the output like "1,2,1,3,2,4". In this case, I can't distinguish which items belongs to the same message. It may be divided into three parts like "1,2","1","3,2,4", or others. Therefore I think this parameter can't help me solve my problem. Looking forward to your reply again.

godbless2you gravatar imagegodbless2you ( 2019-02-14 02:13:08 +0000 )edit

Have you tried working with -E quote=... as well? Otherwise I would have to look into how the output of values you referenced are being produced (if I can find a BGP capture like this) and see what the code is.

Jaap gravatar imageJaap ( 2019-02-14 07:16:48 +0000 )edit

The parameter "-E quote" is used to defined the character used to surround fields, which means that when you use command like "-E quote=s" you will get a result like:

'time' '1' '1,2' ...

It doesn't work inside fields, so I don't think it can solve my problem. I try to upload a sample but unfortunately I don't have enough points to do that. Here is another sample called BGP_AS_set.cap. After you download it, you can try using tshark to extract the AS_PATH and see if you can get the right result that "30" belongs to the AS_SEQUENCE and "{10,20}" belongs to the AS_SET. Please show me your command if you make it success.

Here is my simplified code (some -e fields are ignored):

tshark -r a.cap -Y "bgp.type==2" -T fields -E quote=d

-e ip.src -e ip.dst -e ...(more)

godbless2you gravatar imagegodbless2you ( 2019-02-14 07:44:29 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-02-14 20:56:52 +0000

Jaap gravatar image

updated 2019-02-14 20:58:01 +0000

You assume that the AS's in a path segment are being processed as a set. But what you ask for is the 'as4', or in your later example 'as2' fields (bgp.update.path_attribute.as_path_segment.as2) . When you look at the packet in detail you'll see that each AS4, and AS2, field is added individually to the tree; each is handled individually and therefore shown as such. At that field level there is no notion of groups or sets.

One level up though is where the the grouping comes into view. The AS Path Segment item in the tree nicely shows the collection of AS's in that path segment. So it would be nice if we could use bgp.update.path_attribute.as_path_segment. Unfortunately this item is of type FT_NONE, thus has no value. It is merely a hook to append text to. If you use that as a field to output you'll only be informed of the presence of the item, by means of a 1 in the output.

What seems to be lacking here is assigning some value (a string from the looks of it) to this tree item, so that it can be used as such, producing useable output when used as a field in the output. So in short, no this is currently not possible. I'm not even sure that it is possible at all. It would be an enhancement of the BGP dissector to be looked into.

edit flag offensive delete link more

Comments

A quick hack shows that it may be possible after all. Needs more work though to definitively say so.

Jaap gravatar imageJaap ( 2019-02-14 22:54:01 +0000 )edit

Much thanks for your quick reply.

I read the Wireshark developer's guide v2.9.1 and found that it did work that way you mentioned.

Maybe what I do is to modify and write my own code based on the Wireshark source code.

Thanks again for your help!

godbless2you gravatar imagegodbless2you ( 2019-02-15 00:20:11 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-02-13 12:59:08 +0000

Seen: 701 times

Last updated: Feb 15 '19

Related questions

Using tshark filters to extract only interesting traffic from 12GB trace

Resolve frame subtype and export to csv

Why did file size become bigger after applying filtering on tshark?

how to capture udp traffic with a length of 94

Capture incoming packets from remote web server

Localhost capturing

How to filter out TCP retransmissions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

My UDP packets aren't showing