Getting specific fields from packets

extract
fields
imsi
msisdn
GTP
retag add tags

Hey guys!

I currently have a huge .pcap file that shows the following information after applying the filter gtp.message == 0x10

197 1.748402 201.144.195.25 201.157.107.1 GTP 216 Create PDP context request
771 6.475531 201.144.195.86 201.157.107.1 GTP 216 Create PDP context request
809 6.640840 201.134.179.88 201.157.107.1 GTP 224 Create PDP context request
177 14.61336 201.144.195.86 201.157.107.1 GTP 216 Create PDP context request
212 17.48780 201.134.179.86 201.157.107.1 GTP 221 Create PDP context request

...plus hundreds and hundreds more.

When you check inside each packet, there's are some values I'm looking for:

e212.imsi
e164.msisdn
gtp.lac
gtp.sai_sac

I need to extract these values for each "Create PDP context request" packet displayed. The problem is, doing it manually is extremely time-consuming and my right-hand hurts at this point (NSFW not intended).

Is there a way on which I could make a batch script or filter to recursively extract the e212.imsi and other fields found inside each "Create PDP context request" packet?

Thank you very much!

PS: Sorry for the absence of screenshots, the platform doesn't allow me to use them yet.

menticol

asked 2019-11-12 19:59:28 +0000

19.9k

Guy Harris

updated 2019-11-12 20:48:50 +0000

edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

I would recommend using tshark for this purpose. For example:

tshark -r huge.pcap -Y "gtp.message == 0x10" -T fields -E header=y -E separator=, -E quote=d -e frame.number -e e212.imsi -e e164.msisdn -e gtp.lac -e gtp.sai_sac > huge.csv

Add as many fields as you need using -e.

EDIT I changed the separator from a tab to a comma, which is what I originally intended for a .csv file.

11.1k

cmaynard

answered 2019-11-12 20:12:01 +0000, updated 2019-11-13 00:13:53 +0000

edit flag offensive 0 remove flag delete link

Comments

Note that depending on the shell used you may have to quote some of the arguments, e.g. -E "header=y"

grahamb (2019-11-12 21:14:23 +0000) edit

Thank you very much Cmaynard and Grahamb by your answers!

I'm trying the commands now, following this syntaxis:

C:\Program Files\Wireshark>tshark -r "C:\Capturas\20191111_14_45-MIRR-BKP.pcap" -Y "gtp.message == 0x10" -T fields -E "header=y" -E "separator=," -E "quote=d" -e "frame.number" -e "e212.imsi" -e "e164.msisdn" -e "gtp.lac" -e "gtp.sai_sac" > "C:\Capturas\huge.csv"

EDIT1: I was having trouble with a message error "tshark: The file [filename] appears to have been cut short in the middle of a packet." but realized it does not interfere with the command inner workings.

EDIT 2: I only changed the separator from \t to , to be able to open the csv on MS Excel without any further steps.

EDIT3: I'm trying to upvote your answer but the system does require >15 pts to allow it.

I really appreciate your help uys!!

menticol (2019-11-12 22:30:18 +0000) edit

You don't upvote an answer that has solved your issue, you accept it by clicking the checkmark icon to the left of it.

This also helps other folks with the same issue to quickly see which answer was most helpful.

grahamb (2019-11-13 07:49:09 +0000) edit

This looks really cool!

When I want to extract data from a pcap file, I would apply the specific field as a column and then File > Export Packet Dissections > As CSV.

yash.rohilla (2019-11-26 15:42:33 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

Getting specific fields from packets edit

Comments

1 Answer

Comments