This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Exact Values for e212.mnc filters

0

At the moment we are using tshark (v2.0.3) to extract specific parameters from GTP traffic. in some cases when the value for mnc is 01 tshark returns 1 which technically is not equal to 01, the thing is in wireshark we can see the correct value from proto tree

alt text

tshark command:

-l -n -r "C:\sample.pcap" -2 -R "((gtp.message == 0x10 or gtp.message == 0x11 or gtpv2.message_type == 32   or gtpv2.message_type == 33) and not (icmp))" -T fields -e e212.mcc -e e212.mnc

and in PDML exportو we can see correct value (f210) in Value attribute, but it seems -T field command is returning values found in Show attribute.

field name="e212.mnc" showname="Mobile Network Code (MNC): Telekom Deutschland GmbH (01)" size="2" pos="187" show="1" value="f210"/>

Is there any argument or configuration forcing tshark to extract raw values?

asked 08 Jun '16, 04:01

hja's gravatar image

hja
6224
accept rate: 0%