This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter packets while capturing them using tcpdump on linux based on a diameter AVP value

1

Hello, we have a server that is acting as a diameter server. We would like to capture traffic between the diameter client and our daimeter server and have only those records that have a specific AVP values say...only those packets with a particular IMSI in the corresponding pcap. Is it possible to define such kind of filter when we initiate tcpdump on linux and if so could you provide the sysntax associated with such filters between a souce & destination? Thanks Raj

asked 16 Aug '13, 10:26

raj's gravatar image

raj
26113
accept rate: 0%


4 Answers:

2

only those packets with a particular IMSI in the corresponding pcap. Is it possible to define such kind of filter when we initiate tcpdump on linux and if so could you provide the sysntax associated with such filters between a souce & destination?

it is not possible to capture only those packets with a certain AVP (see the answer of @Guy Harris).

However, on Linux you can use ngrep, if the Diameter communication is not encrypted and if you have a defined search string (in your case an IMSI).

ngrep -d eth0 -O /var/tmp/imsi.pcap '262 01 9876543210' 'host 1.2.3.4 and host 2.3.4.5 and port 3868'

This will look for the string '262 01 9876543210' (your IMSI) in the communication of host 1.2.3.4 and host 2.3.4.5 on port 3868. Packets that match the string will be written to /var/tmp/imsi.pcap. That file can then be further analyzed with wireshark/tshark.

Regards
Kurt

answered 18 Aug '13, 15:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 18 Aug '13, 15:03

1

I think the easiest method would be to do a tcpdump at a tcp/sctp port level, save it as a .pcap, then read it into tshark (on the server if it has wireshark installed, or on your laptop after transferring the file since as you're tracing a particular IMSI I'm assuming this is an ad-hoc troubleshooting effort and not a scripted process you're building).

Now, in the tshark CLI or wireshark with a display filter, what you're asking for is easy. Most Diameter applications would store the IMSI as the value of diameter.Session-Id-Data (in the case of credit control, policy control, etc.) or for some applications as diameter.User-Name. To give the exact filter (or to even attempt to give the exact filter for tcpdump) we'd need to know which Diameter application you're using though.

Since many Diameter servers (all that I have seen, and that includes one of the largest vendors in this space) will send multiple Diameter commands in a single IP packet, even if the AVP sequence and length is fixed a reliable tcpdump solution could be really tricky depending on the setup.

Are you deploying a Diameter router in this setup? If so it is usually the best place you can trace from since it can gice you both client and server legs and not all Diameter routers can be trusted not to tinker with the AVPs.

Edit: Kurt's solution with ngrep is probably the simplest, and definitely easier than tcpdump but if you have the ability to just save the trace and call on wireshark dissectors with tshark I still think that has the lowest margin for error here.

answered 21 Aug '13, 22:38

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 21 Aug '13, 22:42

0

Is it possible to define such kind of filter when we initiate tcpdump on linux

It would, at best, be extremely difficult, and would probably be impossible, given that parsing AVP values probably requires a loop and BPF filters (which is what Wireshark uses for capture filters and tcpdump uses for all its filters) are explicitly disallowed from looping (they're handed to the kernel to execute interpretively, and only forward branches are allowed, to prevent the kernel being made to loop infinitely).

answered 16 Aug '13, 18:22

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

0

If the AVP you are trying to filter on is always the n-th AVP in the diameter packet or if it is within the first n AVP's, you can build a filter for it.

Are you able to share a couple of packets that contain the AVP you want to filter on? You could upload it to www.cloudshark.org (if it contains no sensitive information of course). I could give it a shot to build a capture filter for you.

answered 21 Aug '13, 12:37

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%