Hey guys! I'm using tshark as part of a batch process to examine hundreds of .pcap files.
Let me show you some examples of what I'm trying to do:
Show me all packets related with the 444 event
"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\loggers\TRACES\DCCS\Pcap\20200301_00_00-DCCS-ONE.pcap" -Y "diameter.avp.code == 444" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e diameter.Session-Id -e diameter.Called-Station-Id -e e212.imsi>"C:\Temp\172.27.241.107\loggers\TRACES\DCCS\Csv\20200301_00_00-DCCS-ONE.pcap.csv"
Result: Works ok!
Show me all packets if smpp.command_id == 0x00000004 and smpp.command_id==0x00000004 or smpp.command_id==0x80000004
Translated as:
"-Y \"(smpp.command_id==0x00000004)||(smpp.command_id==0x80000004)||(smpp.command_id==0x00000005)||(smpp.command_id==0x80000005)\" -T fields -E header=y -E \"separator=|\", -e frame.number -e frame.time -e smpp.sequence_number -e smpp.message_id -e _ws.col.Info -e smpp.source_addr_ton -e smpp.source_addr -e tcp.srcport -e ip.src -e smpp.dest_addr_ton -e smpp.destination_addr -esmpp.sm_length -e smpp.command_status -e tcp.dstport -e ip.dst >\""
Result: Works ok!
Show me all packets that have diameter.avp.code == 444 AND ALSO e212.imsi == "334110120002361"
-Y "(diameter.avp.code == 444 && e212.imsi == "334110120002361")"
Result: There's a problem between the keyboard and the chair
-Y "(diameter.avp.code == 444)" -Y "(e212.imsi == "334110120002361")" - T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e diameter.Session-Id -e diameter.Called-Station-Id -e e212.imsi
Result: it will return all packets that satisfy either one of the conditions
How can a build an AND connector for the tshark command line?
Thank you very much guys!
