Ask Your Question

menticol's profile - activity

2020-06-26 07:36:12 +0000 received badge  Popular Question (source)
2020-04-22 20:00:01 +0000 commented answer Tshark: Get multiple ocurrences with same field value

I'm very sorry for taking so long guys. Thank you Bubbasnmp, your solution was much more elegant, but since I'm working

2020-04-22 19:51:50 +0000 marked best answer Tshark: Get multiple ocurrences with same field value

Hi guys!

Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.

Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.

No. | Time | Source | Destination | Protocol | Length | Info

 1  2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

2   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

3   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

Now let's expand packet number one.

Diameter Protocol
    Version: 0x01

... (tens of lines deleted to save post space) ...

AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org

... (tens of lines deleted to save post space) ...

AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
    AVP Code: 456 Multiple-Services-Credit-Control
    AVP Flags: 0x40, Mandatory: Set
    AVP Length: 104
    Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…

Now let's click the 000001be400000440000 node:

AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)

And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:

AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25

At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files

 "C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e ...
(more)
2020-04-20 18:56:51 +0000 edited question Tshark: Get multiple ocurrences with same field value

Tshark: Get multiple ocurrences with same field value Hi guys! Presenting this case without being able to upload screen

2020-04-20 18:55:36 +0000 edited question Tshark: Get multiple ocurrences with same field value

Tshark: Get multiple ocurrences with same field value Hi guys! Presenting this case without being able to upload screen

2020-04-20 18:52:51 +0000 commented question Tshark: Get multiple ocurrences with same field value

Ok I just went ahead and uploaded an external link, if this is not allowed please let me know to take it down

2020-04-20 18:52:25 +0000 edited question Tshark: Get multiple ocurrences with same field value

Tshark: Get multiple ocurrences with same field value Hi guys! Presenting this case without being able to upload screen

2020-04-20 18:46:05 +0000 commented question Tshark: Get multiple ocurrences with same field value

Thank you for your answers Bubbasnmp and Guy Harris. Tried with the output formats Bubba suggested, but even with other

2020-04-20 18:45:01 +0000 commented question Tshark: Get multiple ocurrences with same field value

Thank you for your answers Bubbasnmp and Guy Harris. Tried with the output formats Bubba suggested, but the output is th

2020-04-18 00:10:21 +0000 edited question Tshark: Get multiple ocurrences with same field value

Tshark: Get multiple ocurrences with same field value Hi guys! Presenting this case without being able to upload screen

2020-04-18 00:08:24 +0000 edited question Tshark: Get multiple ocurrences with same field value

Tshark: Get multiple ocurrences with same field value Hi guys! Presenting this case without being able to upload screen

2020-04-18 00:07:44 +0000 edited question Tshark: Get multiple ocurrences with same field value

Tshark: Get multiple ocurrences with same field value Hi guys! Presenting this case without being able to upload screen

2020-04-18 00:06:15 +0000 edited question Tshark: Get multiple ocurrences with same field value

Tshark: Get multiple ocurrences with same field value Hi guys! Presenting this case without being able to upload screen

2020-04-18 00:05:05 +0000 edited question Tshark: Get multiple ocurrences with same field value

Tshark: Get multiple ocurrences with same field value Hi guys! Presenting this case without being able to upload screen

2020-04-17 23:59:56 +0000 asked a question Tshark: Get multiple ocurrences with same field value

Tshark: Get multiple ocurrences with same field value Hi guys! Presenting this case without being able to upload screen

2020-03-13 19:50:46 +0000 answered a question Tshark -Y syntax usage

To expand the answer a little more and for future reference, I leave you with the working examples I made using your sug

2020-03-03 17:19:46 +0000 marked best answer Tshark -Y syntax usage

Hey guys! I'm using tshark as part of a batch process to examine hundreds of .pcap files.

Let me show you some examples of what I'm trying to do:

Goal: Show all packets related with the 444 event

"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\loggers\TRACES\DCCS\Pcap\20200301_00_00-DCCS-ONE.pcap" -Y "diameter.avp.code == 444" -T fields -E header=y -E "separator=~",  -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e diameter.Session-Id -e diameter.Called-Station-Id -e e212.imsi>"C:\Temp\172.27.241.107\loggers\TRACES\DCCS\Csv\20200301_00_00-DCCS-ONE.pcap.csv"

Result: Works ok!

Goal: Show me all packets if smpp.command_id == 0x00000004 and smpp.command_id==0x00000004 or smpp.command_id==0x80000004

"-Y \"(smpp.command_id==0x00000004)||(smpp.command_id==0x80000004)||(smpp.command_id==0x00000005)||(smpp.command_id==0x80000005)\" -T fields -E header=y -E \"separator=|\",  -e frame.number -e frame.time -e smpp.sequence_number -e smpp.message_id -e _ws.col.Info -e smpp.source_addr_ton -e smpp.source_addr -e tcp.srcport -e ip.src -e smpp.dest_addr_ton -e smpp.destination_addr -esmpp.sm_length -e smpp.command_status -e tcp.dstport -e ip.dst >\""

Result: Works ok!

Goal: show me all packets that have diameter.avp.code == 444 AND ALSO e212.imsi == "334110120002361"

-Y "(diameter.avp.code == 444)" -Y "(e212.imsi == "334110120002361")" - T fields -E header=y -E "separator=~",  -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e diameter.Session-Id -e diameter.Called-Station-Id -e e212.imsi

Result: FAIL it will return all packets that satisfy either one of the conditions, like an "OR" switch

Let's try with this

-Y "(diameter.avp.code == 444 && e212.imsi == "334110120002361")"

Result: FAIL Unknown command. The problem's located between the keyboard and the chair. Get out!

How can a build an AND connector for the tshark command line?

Thank you very much guys!

2020-03-03 17:13:14 +0000 edited answer Tshark -Y syntax usage

Thank you very much Jim, your solution worked like a charm. Sorry for the backslashes, these were a remain from the java

2020-03-03 17:12:32 +0000 edited answer Tshark -Y syntax usage

Thank you very much Jim, your solution worked like a charm. Sorry for the backslashes, these were a remain from the java

2020-03-03 17:12:07 +0000 received badge  Rapid Responder
2020-03-03 17:12:07 +0000 answered a question Tshark -Y syntax usage

Thank you very much Jim, your solution worked like a charm. Sorry for the backslashes, these were a remain from the java

2020-03-03 00:52:08 +0000 edited question Tshark -Y syntax usage

Tshark -Y syntax usage Hey guys! I'm using tshark as part of a batch process to examine hundreds of .pcap files. Let me

2020-03-03 00:50:43 +0000 edited question Tshark -Y syntax usage

Tshark -Y syntax usage Hey guys! I'm using tshark as part of a batch process to examine hundreds of .pcap files. Let me

2020-03-03 00:46:27 +0000 edited question Tshark -Y syntax usage

Tshark -Y syntax usage Hey guys! I'm using tshark as part of a batch process to examine hundreds of .pcap files. Let me

2020-03-03 00:43:21 +0000 asked a question Tshark -Y syntax usage

Tshark -Y syntax usage Hey guys! I'm using tshark as part of a batch process to examine hundreds of .pcap files. Let me

2019-11-13 14:25:35 +0000 marked best answer Getting specific fields from packets

Hey guys!

I currently have a huge .pcap file that shows the following information after applying the filter gtp.message == 0x10

  • 197 1.748402 201.144.195.25 201.157.107.1 GTP 216 Create PDP context request
  • 771 6.475531 201.144.195.86 201.157.107.1 GTP 216 Create PDP context request
  • 809 6.640840 201.134.179.88 201.157.107.1 GTP 224 Create PDP context request
  • 177 14.61336 201.144.195.86 201.157.107.1 GTP 216 Create PDP context request
  • 212 17.48780 201.134.179.86 201.157.107.1 GTP 221 Create PDP context request

...plus hundreds and hundreds more.

When you check inside each packet, there's are some values I'm looking for:

  • e212.imsi
  • e164.msisdn
  • gtp.lac
  • gtp.sai_sac

I need to extract these values for each "Create PDP context request" packet displayed. The problem is, doing it manually is extremely time-consuming and my right-hand hurts at this point (NSFW not intended).

Is there a way on which I could make a batch script or filter to recursively extract the e212.imsi and other fields found inside each "Create PDP context request" packet?

Thank you very much!

PS: Sorry for the absence of screenshots, the platform doesn't allow me to use them yet.

2019-11-13 14:25:35 +0000 received badge  Scholar (source)
2019-11-12 22:59:47 +0000 edited answer Getting specific fields from packets

Thank you very much Cmaynard and Grahamb by your answers! I'm trying the commands now, following this syntaxis: C:\Pro

2019-11-12 22:56:41 +0000 edited answer Getting specific fields from packets

Thank you very much Cmaynard and Grahamb by your answers! I'm trying the commands now, following this syntaxis: C:\Pro

2019-11-12 22:31:39 +0000 received badge  Editor
2019-11-12 22:31:39 +0000 edited answer Getting specific fields from packets

Thank you very much Cmaynard and Grahamb by your answers! I'm trying the commands now, following this syntaxis: C:\Pro

2019-11-12 22:30:18 +0000 received badge  Rapid Responder
2019-11-12 22:30:18 +0000 answered a question Getting specific fields from packets

Thank you very much Cmaynard and Grahamb by your answers! I'm trying the commands now, following this syntaxis: C:\Pro

2019-11-12 19:59:28 +0000 asked a question Getting specific fields from packets

Getting specific fields from packages Hey guys! I currently have a huge .pcap file that shows the following information