Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Tshark: Get multiple ocurrences with same field value

Hi guys!

Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.

Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.

No. | Time | Source | Destination | Protocol | Length | Info

1 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

2   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

3   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

Now let's expand packet number one.

Diameter Protocol
    Version: 0x01

... (tens of lines deleted to save post space) ...

AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org

... (tens of lines deleted to save post space) ...

AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
    AVP Code: 456 Multiple-Services-Credit-Control
    AVP Flags: 0x40, Mandatory: Set
    AVP Length: 104
    Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…

Now let's click the 000001be400000440000 node:

AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)

And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:

AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25

At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files

"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv

Perhaps not. Tshark will work but will throw the results in a terrible manner:

frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group
1~
Apr  3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~

It makes sense! remember the beginning of this post, we have multiple occurrences of

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M- AVP: Multiple-Services-Credit-Control(456) l=104 f=-M- AVP: Multiple-Services-Credit-Control(456) l=104 f=-M- AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

So, tshark just combined the results of all occurrences into a wonderful one hundred character long line

93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.

I tried to make a little java program to split each CSV file using the diameter.avp.len parameter, but still, is non-sense.

How could I get all the occurrences of my desired field values?

Tshark: Get multiple ocurrences with same field value

Hi guys!

Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.

Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.

No. | Time | Source | Destination | Protocol | Length | Info

1 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

2   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

3   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

Now let's expand packet number one.

Diameter Protocol
    Version: 0x01

... (tens of lines deleted to save post space) ...

AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org

... (tens of lines deleted to save post space) ...

AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
    AVP Code: 456 Multiple-Services-Credit-Control
    AVP Flags: 0x40, Mandatory: Set
    AVP Length: 104
    Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…

Now let's click the 000001be400000440000 node:

AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)

And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:

AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25

At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files

"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv

Perhaps not. Tshark will work but will throw the results in a terrible manner:

Request

frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group

Response

1~
Apr  3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~

It

120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3

I'm not amplying it's tshark's fault, it makes sense! sense remember at the beginning of this post, we have multiple occurrences of

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M- AVP: Multiple-Services-Credit-Control(456) l=104 f=-M- AVP: Multiple-Services-Credit-Control(456) l=104 f=-M- AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

So, tshark just combined the results of all occurrences into a wonderful one hundred character long line

93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.

I tried to make a little java program to split each CSV file using the diameter.avp.len parameter, but still, is non-sense.

How could I get all the occurrences of my desired field values?

Tshark: Get multiple ocurrences with same field value

Hi guys!

Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.

Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.

No. | Time | Source | Destination | Protocol | Length | Info

1 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

2   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

3   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

Now let's expand packet number one.

Diameter Protocol
    Version: 0x01

... (tens of lines deleted to save post space) ...

AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org

... (tens of lines deleted to save post space) ...

AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
    AVP Code: 456 Multiple-Services-Credit-Control
    AVP Flags: 0x40, Mandatory: Set
    AVP Length: 104
    Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…

Now let's click the 000001be400000440000 node:

AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)

And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:

AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25

At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files

 "C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv

>outputfile.csv

Perhaps not. Tshark will work but will throw the results in a terrible manner:

Request

frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group

Response

1~
Apr  3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~

120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3

120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3

I'm not amplying it's tshark's fault, it makes sense remember at the beginning of this post, we have multiple occurrences of

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

So, tshark just combined the results of all occurrences into a wonderful one hundred character long line

93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.

I tried to make a little java program to split each CSV file using the diameter.avp.len the line into human readable parameter, but still, is non-sense.

How could I get all the occurrences of my desired field values?

Tshark: Get multiple ocurrences with same field value

Hi guys!

Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.

Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.

No. | Time | Source | Destination | Protocol | Length | Info

1 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

2   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

3   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

Now let's expand packet number one.

Diameter Protocol
    Version: 0x01

... (tens of lines deleted to save post space) ...

AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org

... (tens of lines deleted to save post space) ...

AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
    AVP Code: 456 Multiple-Services-Credit-Control
    AVP Flags: 0x40, Mandatory: Set
    AVP Length: 104
    Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…

Now let's click the 000001be400000440000 node:

AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)

And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:

AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25

At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files

 "C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv

Perhaps not. Tshark will work but will throw the results in a terrible manner:

Request

frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group

Response

1~
Apr  3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3

I'm not amplying it's tshark's fault, it makes sense remember at the beginning of this post, we have multiple occurrences of

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

So, tshark just combined the results of all occurrences into a wonderful one hundred character long line

93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.

I tried to make a little java program to split the line into human readable parameter, but still, is non-sense.

How Please, how could I get all the occurrences of my desired field values?

Thank you and I'm sorry for the tedious post

Tshark: Get multiple ocurrences with same field value

Hi guys!

Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.

Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.

No. | Time | Source | Destination | Protocol | Length | Info

 1  2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

 2   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

3   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

Now let's expand packet number one.

Diameter Protocol
    Version: 0x01

... (tens of lines deleted to save post space) ...

AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org

... (tens of lines deleted to save post space) ...

AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
    AVP Code: 456 Multiple-Services-Credit-Control
    AVP Flags: 0x40, Mandatory: Set
    AVP Length: 104
    Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…

Now let's click the 000001be400000440000 node:

AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)

And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:

AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25

At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files

 "C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv

Perhaps not. Tshark will work but will throw the results in a terrible manner:

Request

frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group

Response

1~
Apr  3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3

I'm not amplying it's tshark's fault, it makes sense remember at the beginning of this post, we have multiple occurrences of

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

So, tshark just combined the results of all occurrences into a wonderful one hundred character long line

93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.

I tried to make a little java program to split the line into human readable parameter, but still, is non-sense.

Please, how could I get all the occurrences of my desired field values?

Thank you and I'm sorry for the tedious post

Tshark: Get multiple ocurrences with same field value

Hi guys!

Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.

Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.

No. | Time | Source | Destination | Protocol | Length | Info

 1  2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

2   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

3   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

Now let's expand packet number one.

Diameter Protocol
    Version: 0x01

... (tens of lines deleted to save post space) ...

AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org

... (tens of lines deleted to save post space) ...

AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
    AVP Code: 456 Multiple-Services-Credit-Control
    AVP Flags: 0x40, Mandatory: Set
    AVP Length: 104
    Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…

Now let's click the 000001be400000440000 node:

AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)

And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:

AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25

At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files

 "C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv

Perhaps not. Tshark will work but will throw the results in a terrible manner:

Request

frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group

Response

1~
Apr  3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3

I'm not amplying it's tshark's fault, it makes sense remember at the beginning of this post, we have multiple occurrences of

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

So, tshark just combined the results of all occurrences into a wonderful one hundred character long line

93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.

I tried to make a little java program to split the line into human readable parameter, but still, is non-sense.

Please, how could I get all the occurrences of my desired field values?

Thank you and I'm sorry for the tedious post

Tshark: Get multiple ocurrences with same field value

Hi guys!

Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.

Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.

No. | Time | Source | Destination | Protocol | Length | Info

 1  2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

2   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

3   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

Now let's expand packet number one.

Diameter Protocol
    Version: 0x01

... (tens of lines deleted to save post space) ...

AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org

... (tens of lines deleted to save post space) ...

AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
    AVP Code: 456 Multiple-Services-Credit-Control
    AVP Flags: 0x40, Mandatory: Set
    AVP Length: 104
    Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…

Now let's click the 000001be400000440000 node:

AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)

And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:

AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25

At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files

 "C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv

Perhaps not. Tshark will work but will throw the results in a terrible manner:

Request

frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group

Response

1~
Apr  3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3

I'm not amplying implying it's tshark's fault, it makes sense remember at the beginning of this post, we have multiple fault. Tshark is doing its job fine, I think is just combining all occurrences of of:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

So, tshark just combined the results of all occurrences into a wonderful one hundred character long line

93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.

I tried to make a little java program to split the line into human readable human-readable parameter, but still, is non-sense.still

Please, how could I get all the occurrences of my desired field values?

Thank you and I'm sorry for the tedious post

EDIT: Thank you Bubbasnmp and Guy Harris for your comments. I was not able to upload the .pcap file (60 points required) so I included an external link, hope this doesn't violate the forum rules

https://www.dropbox.com/s/hlykq2v409l0x0e/resultado_334110010009868.pcap?dl=0

As a shortcut to get the desired field example please use this filter

diameter.Used-Service-Unit == 00:00:01:a4:40:00:00:0c:00:00:00:78:00:00:01:a5:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9c:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9e:40:00:00:10:00:00:00:00:00:00:00:00

On my example the correct values should be:

diameter.CC-Time=120 diameter.CC-Total-Octets=0

Tshark: Get multiple ocurrences with same field value

Hi guys!

Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.

Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.

No. | Time | Source | Destination | Protocol | Length | Info

 1  2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

2   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

3   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

Now let's expand packet number one.

Diameter Protocol
    Version: 0x01

... (tens of lines deleted to save post space) ...

AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org

... (tens of lines deleted to save post space) ...

AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
    AVP Code: 456 Multiple-Services-Credit-Control
    AVP Flags: 0x40, Mandatory: Set
    AVP Length: 104
    Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…

Now let's click the 000001be400000440000 node:

AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)

And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:

AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25

At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files

 "C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv

Perhaps not. Tshark will work but will throw the results in a terrible manner:

Request

frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group

Response

1~
Apr  3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3

I'm not implying it's tshark's fault. Tshark is doing its job fine, I think is just combining all occurrences of:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

So, tshark just combined the results of all occurrences into a wonderful one hundred character long line

93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.

I tried to make a little java program to split the line into human-readable parameter, but still

Please, how could I get all the occurrences of my desired field values?

Thank you and I'm sorry for the tedious post

EDIT: Thank you Bubbasnmp and Guy Harris for your comments. I was not able to upload the .pcap file (60 points required) so I included an external link, hope this doesn't violate the forum rules

https://www.dropbox.com/s/hlykq2v409l0x0e/resultado_334110010009868.pcap?dl=0

As a shortcut to get the desired field example please use this filter

diameter.Used-Service-Unit == 00:00:01:a4:40:00:00:0c:00:00:00:78:00:00:01:a5:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9c:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9e:40:00:00:10:00:00:00:00:00:00:00:00

On my example the correct values should be:I would like to get are:

diameter.CC-Time=120 diameter.CC-Total-Octets=0diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=25

...Instead of 120,120,120,120

I hope this helps to better explain myself

Tshark: Get multiple ocurrences with same field value

Hi guys!

Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.

Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.

No. | Time | Source | Destination | Protocol | Length | Info

 1  2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

2   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

3   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

Now let's expand packet number one.

Diameter Protocol
    Version: 0x01

... (tens of lines deleted to save post space) ...

AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org

... (tens of lines deleted to save post space) ...

AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
    AVP Code: 456 Multiple-Services-Credit-Control
    AVP Flags: 0x40, Mandatory: Set
    AVP Length: 104
    Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…

Now let's click the 000001be400000440000 node:

AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)

And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:

AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25

At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files

 "C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv

Perhaps not. Tshark will work but will throw the results in a terrible manner:

Request

frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group

Response

1~
Apr  3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3

I'm not implying it's tshark's fault. Tshark is doing its job fine, I think is just combining all occurrences of:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

So, tshark just combined the results of all occurrences into a wonderful one hundred character long line

93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.

I tried to make a little java program to split the line into human-readable parameter, but still

Please, how could I get all the occurrences of my desired field values?

Thank you and I'm sorry for the tedious post


EDIT: Thank you Bubbasnmp and Guy Harris for your comments. I was not able to upload the .pcap file (60 points required) so I included an external link, hope this doesn't violate the forum rules

https://www.dropbox.com/s/hlykq2v409l0x0e/resultado_334110010009868.pcap?dl=0

As a shortcut to get the desired field example please use this filter

diameter.Used-Service-Unit == 00:00:01:a4:40:00:00:0c:00:00:00:78:00:00:01:a5:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9c:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9e:40:00:00:10:00:00:00:00:00:00:00:00

On my example the separated values I would like to get are:

diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=25

...Instead of the current combined 120,120,120,120

I hope this helps to better explain myself