Hi everyone, I'm using tshark to decode AVP of a Diameter file by a command:
tshark -r Diameter.pcap -T fields -e "diameter.Subscription-Id" >/dev/null 2>&1
"diameter.Subscription-Id" just to make sure that tshark go through the dissector of AVP and I can get values of all AVPs. The size of file is about 800 MB, so it takes time with output printed on screen and run at 100% CPU. So I change the command:
tshark -r Diameter.pcap >/dev/null 2>&1
In this way, it 's faster but tshark doesn't go through some AVPs. I tried to read the source code and found the differrence of two commands:
dissect_diameter_avp(...)
{
....
avp_str = a->dissector_rfc(c,a,subtvb, diam_sub_dis_inf);
....
}
Tshark goes to dissector_rfc in both of cases but in the first command, avp_str has value while it is NULL in the second command. I tried to find how dissector_rfc works but found nothing in source code. So please help if you have an experience on the source code: - How can I find the definition of dissector_rfc in the source code. In this way, I can change the code make avp_str is not NULL with the second command. - Is it able to force tshark to go to AVP without printing output