Ask Your Question

menticol's profile - activity

2023-07-19 12:09:35 +0000 received badge  Famous Question (source)
2023-06-30 13:41:06 +0000 received badge  Notable Question (source)
2023-06-30 13:41:06 +0000 received badge  Popular Question (source)
2023-06-15 18:03:19 +0000 received badge  Notable Question (source)
2023-06-06 15:50:33 +0000 commented question Flatten a .PCAP file to text (see question for better explanation)

Very good question Chuckc, the problem is that the list of required fields is too long for passing them as console argum

2023-06-01 23:17:38 +0000 received badge  Famous Question (source)
2023-06-01 23:17:38 +0000 received badge  Notable Question (source)
2023-06-01 01:59:15 +0000 received badge  Rapid Responder (source)
2023-06-01 01:59:15 +0000 answered a question Very slow file file copy is fixed when running Wireshark

Just an idea! Try this powershell command before running Wireshark, save the result. Repeat after running Wireshark. Di

2023-06-01 01:37:56 +0000 asked a question Flatten a .PCAP file to text (see question for better explanation)

Flatten a .PCAP file to text (see question for better explanation) Hi guys I have a PCAP file (uploaded it here since I

2023-04-19 07:23:24 +0000 received badge  Famous Question (source)
2023-04-19 07:23:24 +0000 received badge  Notable Question (source)
2023-04-19 07:23:24 +0000 received badge  Popular Question (source)
2022-05-03 14:45:07 +0000 received badge  Famous Question (source)
2022-05-03 14:06:23 +0000 received badge  Popular Question (source)
2022-05-03 13:58:22 +0000 received badge  Popular Question (source)
2021-08-13 05:22:07 +0000 received badge  Commentator
2021-08-13 05:22:07 +0000 commented answer export part of the packet using dumpcap

https://www.wireshark.org/docs/wsug_html_chunked/ChIOExportSection.html

2021-08-13 05:02:47 +0000 commented answer Get _ws.col.Info, plus all packet fields, as a .json exported file

Sorry for taking such a long time to answer you. I gave the thumbs up without thinking twice! For the forum readers, I t

2021-08-13 05:01:50 +0000 commented answer Get _ws.col.Info, plus all packet fields, as a .json exported file

Sorry for taking such a long time to answer you. I gave the thumbs up without thinking twice! For the forum readers, I t

2021-08-13 04:56:12 +0000 marked best answer Get _ws.col.Info, plus all packet fields, as a .json exported file

Hi again guys!

I'm making a little C# code to export expanded PCAP files to a Database.

So far I have succeeded in creating the JSON, however, I noticed that a very nice Wireshark column, _ws.col.Info, is missing on the generated file.

This column would contain very important information for DIAMETER and CAMEL analysis, for example, "SACK invoke InitialDP","invoke eventReportBCSM",""SACK invoke release call", among others.

On previous projects where I was required to export the PCAP as CSV, I was able to do so by using switches like the following one:

-e frame.number -e frame.time -e _ws.col.Info -e diameter.Session-Id -e e164.msisdn -e e212.imsi

However, when I apply the aforementioned filters, I stop getting the whole PCAP file translated as JSON, and only get whichever field is indicated on the filter.

Instead, I would like to get the whole PCAP contents (plus the-e _ws.col.Info field). In that way the user could navigate through the file in a visual way, and later export whatever field he/she wants.

Let me show you some pictures of how the program looks

Picture1

Picture 2

This is part of the code I came up with, if anybody finds it useful

    String fileNameWithoutExtension = Path.GetFileNameWithoutExtension(pcapFilePath);
    String fileNameWithExtension = Path.GetFileName(pcapFilePath);
    String pathWorkingFolder = pcapFilePath.Replace(fileNameWithExtension, "");

    String pathFilteredPcap = "\"" + pathWorkingFolder + fileNameWithoutExtension + "_filtered.pcap\"";
    String argumentsPcapToFilteredPcap = "-r \"" + pcapFilePath + "\" -Y camel -w " + pathFilteredPcap;

    String consoleOutputPcapToFilteredPcap = await new UtilsIO().executeExe(SHARK_INSTALL_FOLDER, argumentsPcapToFilteredPcap);

    Console.WriteLine(consoleOutputPcapToFilteredPcap);
    Console.WriteLine("Filtered PCAP ready...");

    String pathJsonFile = pathWorkingFolder + fileNameWithoutExtension + ".json";
    String argumentsFilteredPcapToJson = "-r " + pathFilteredPcap + " -T json ";

    Console.WriteLine("Generating JSON...");

    String consoleOutputFromPcapToJson = await new UtilsIO().executeExe(SHARK_INSTALL_FOLDER, argumentsFilteredPcapToJson);

    UtilsIO.saveTextFile(consoleOutputFromPcapToJson, pathJsonFile);

    Console.WriteLine("JSON Ready...");

As always thank you very much!

2021-08-13 04:56:06 +0000 commented answer Get _ws.col.Info, plus all packet fields, as a .json exported file

Sorry for taking such a long time to answer you. I gave the thumbs up without thinking twice! For the forum readers, I t

2021-08-03 19:08:32 +0000 commented answer Get _ws.col.Info, plus all packet fields, as a .json exported file

Thank you as always for your lightning-fast answers @Chuckc. Sadly I did not express my question properly due to my lack

2021-08-03 19:07:05 +0000 edited question Get _ws.col.Info, plus all packet fields, as a .json exported file

Get ws.col.Info (plus the whole PCAP) as a .json exported file Hi again guys! I'm making a little C# code to export exp

2021-08-03 16:33:32 +0000 commented question Get _ws.col.Info, plus all packet fields, as a .json exported file

Edited the question's title and added some screenshots to properly explain my problem

2021-08-03 16:33:03 +0000 edited question Get _ws.col.Info, plus all packet fields, as a .json exported file

Get ws.col.Info as part of .json exported file Hi again guys! I'm making a little C# code to export expanded PCAP files

2021-08-03 16:30:29 +0000 marked best answer Exporting PCAP to Database

Hi guys!

I'm working on a little program to convert .PCAP files into MySQL tables, in order to make analysis easier (a program that I will share here as soon as is finished, naturally).

My first command is running on a Windows console and outputs a very nice filtered .pcap file, filled with information.

tshark -r "C:\proyecto \20210729_15_45-MIRR-BKP.pcap" -Y camel -w "C:\proyecto\20210729_15_45-MIRR-BKP_filtered.pcap"

However, on my next step, converting the aforementioned .PCAP to JSON, I'm getting a blank JSON file.

tshark -r "C:\proyecto\20210729_15_45-MIRR-BKP_filtered.pcap" -T json -w "C:\proyecto\20210729_15_45-MIRR-BKP.json"

I used the code provided by @Chuckc on this post.

Once I get the .JSON part working, I'll implement a little UI to select what packet information will be exported, etc.

Thank you and best regards

2021-08-03 15:02:57 +0000 edited question Get _ws.col.Info, plus all packet fields, as a .json exported file

Get ws.col.Info as part of .json exported file Hi again guys! I'm making a little C# code to export expanded PCAP files

2021-08-03 15:00:10 +0000 commented answer Get _ws.col.Info, plus all packet fields, as a .json exported file

Thank you as always for your lightning-fast answers @Chuckc. Sadly I did not express my question properly due to my lack

2021-08-03 14:59:58 +0000 commented answer Get _ws.col.Info, plus all packet fields, as a .json exported file

Thank you as always for your lightning-fast answers @Chuckc. Sadly did not express my question properly due to my lack o

2021-08-03 14:56:52 +0000 received badge  Associate Editor (source)
2021-08-03 14:56:52 +0000 edited question Get _ws.col.Info, plus all packet fields, as a .json exported file

Get ws.col.Info as part of .json exported file Hi again guys! I'm making a little C# code to export expanded PCAP files

2021-08-03 14:54:47 +0000 edited question Get _ws.col.Info, plus all packet fields, as a .json exported file

Get ws.col.Info as part of .json exported file Hi again guys! I'm making a little C# code to export expanded PCAP files

2021-08-03 05:45:59 +0000 edited question Get _ws.col.Info, plus all packet fields, as a .json exported file

Get ws.col.Info as part of .json exported file Hi again guys! I'm making a little C# code to export expanded PCAP files

2021-08-03 04:47:17 +0000 edited question Get _ws.col.Info, plus all packet fields, as a .json exported file

Get ws.col.Info as part of .json exported file Hi again guys! I'm making a little C# code to export expanded PCAP files

2021-08-03 04:45:37 +0000 answered a question Exporting PCAP to Database

@Chuckc provided the answer to this question in his comment. Quoting him: NOTE: -w provides raw packet data, not t

2021-08-03 04:42:25 +0000 asked a question Get _ws.col.Info, plus all packet fields, as a .json exported file

Get ws.col.Info as part of .json exported file Hi again guys! I'm making a little C# code to export expanded PCAP files

2021-07-31 19:09:26 +0000 asked a question Exporting PCAP to Database

Exporting PCAP to Database Hi guys! I'm working on a little program to convert .PCAP files into MySQL tables, in order

2021-06-27 01:03:13 +0000 received badge  Notable Question (source)
2021-05-19 21:37:59 +0000 received badge  Notable Question (source)
2020-12-06 16:50:37 +0000 received badge  Popular Question (source)
2020-06-26 07:36:12 +0000 received badge  Popular Question (source)
2020-04-22 20:00:01 +0000 commented answer Tshark: Get multiple ocurrences with same field value

I'm very sorry for taking so long guys. Thank you Bubbasnmp, your solution was much more elegant, but since I'm working

2020-04-22 19:51:50 +0000 marked best answer Tshark: Get multiple ocurrences with same field value

Hi guys!

Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.

Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.

No. | Time | Source | Destination | Protocol | Length | Info

 1  2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

2   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

3   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

Now let's expand packet number one.

Diameter Protocol
    Version: 0x01

... (tens of lines deleted to save post space) ...

AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org

... (tens of lines deleted to save post space) ...

AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
    AVP Code: 456 Multiple-Services-Credit-Control
    AVP Flags: 0x40, Mandatory: Set
    AVP Length: 104
    Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…

Now let's click the 000001be400000440000 node:

AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)

And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:

AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25

At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files

 "C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e ...
(more)
2020-04-20 18:56:51 +0000 edited question Tshark: Get multiple ocurrences with same field value

Tshark: Get multiple ocurrences with same field value Hi guys! Presenting this case without being able to upload screen

2020-04-20 18:55:36 +0000 edited question Tshark: Get multiple ocurrences with same field value

Tshark: Get multiple ocurrences with same field value Hi guys! Presenting this case without being able to upload screen

2020-04-20 18:52:51 +0000 commented question Tshark: Get multiple ocurrences with same field value

Ok I just went ahead and uploaded an external link, if this is not allowed please let me know to take it down

2020-04-20 18:52:25 +0000 edited question Tshark: Get multiple ocurrences with same field value

Tshark: Get multiple ocurrences with same field value Hi guys! Presenting this case without being able to upload screen