This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can I use tshark to output name/value pairs of Radius VSA attributes?

0

When decoding RADIUS traffic, wireshark displays Attribute Value Pairs in a format such as: + AVP: l=22 t=user-Name(1): [email protected] + AVP: l=17 t=Calling-Station-Id(31): ABCDEFG

etc.

Is there a way to use tshark to output these name value pairs as text?

e.g. row 1 user-name [email protected] Calling-Station-Id ABCDEFG

Thanks in advance.

asked 18 Nov '10, 07:52

mlampell's gravatar image

mlampell
21226
accept rate: 0%


2 Answers:

1

Or you can use tshark with the "-T fields" option to extract the fields of interest:

$ tshark -nlr RADIUS.cap -R "radius.code == 1" -T fields \
     -e frame.time -e radius.User_Name -e radius.Calling_Station_Id
Aug  2, 2008 00:52:17.872968000 John.McGuirk    00-14-22-E9-54-5E
Aug  2, 2008 00:52:17.916736000 John.McGuirk    00-14-22-E9-54-5E
$

answered 20 Nov '10, 03:02

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

thanks SYNbit, your answer works very well.

(29 Nov '10, 14:06) mlampell

1

tshark does show the AVP name/value pairs if you show the packet details using the -V switch. However it also shows all the packet details. :)

You can use grep (or something similar) to filter for just the name/value lines from the tshark output; Does this meet your needs ?

tshark -nVr <filename> | grep "AVP:"

   AVP: l=6  t=Service-Type(6): Framed(2)
   AVP: l=6  t=Framed-Protocol(7): GPRS-PDP-Context(7)
   AVP: l=12  t=Vendor-Specific(26) v=3GPP(10415)
   AVP: l=6  t=NAS-Port-Type(61): Virtual(5)
   AVP: l=4  t=User-Name(1): aj
   AVP: l=19  t=CHAP-Password(3): 012b9d0750c7de94e99492fbe8083e3dbc
   AVP: l=22  t=CHAP-Challenge(60): 7eca5d703bf5d617ef9746349ab0adc93c400ad4
   AVP: l=6  t=NAS-IP-Address(4): 10.147.4.165
   AVP: l=6  t=NAS-Port(5): 99996
   AVP: l=6  t=Framed-IP-Address(8): 10.146.8.251
   AVP: l=15  t=Calling-Station-Id(31): 8613505619900
   AVP: l=7  t=Called-Station-Id(30): cmwap

answered 18 Nov '10, 08:28

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 18 Nov '10, 08:40

The above was done using tshark -nVr <filename> | grep "AVP:"

(18 Nov '10, 08:29) Bill Meier ♦♦

Bill, that's a great suggestion, thanks. I had not known there was a way to output the entire decoded text. Thanks.

(18 Nov '10, 08:37) mlampell

(I've changed your "answer" to to be a "comment" in keeping with the way this site works; The FAQ gives more info).

(18 Nov '10, 08:47) Bill Meier ♦♦