First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Tshark -Y syntax usage

Hey guys! I'm using tshark as part of a batch process to examine hundreds of .pcap files.

Let me show you some examples of what I'm trying to do:

Goal: Show all packets related with the 444 event

"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\loggers\TRACES\DCCS\Pcap\20200301_00_00-DCCS-ONE.pcap" -Y "diameter.avp.code == 444" -T fields -E header=y -E "separator=~",  -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e diameter.Session-Id -e diameter.Called-Station-Id -e e212.imsi>"C:\Temp\172.27.241.107\loggers\TRACES\DCCS\Csv\20200301_00_00-DCCS-ONE.pcap.csv"

Result: Works ok!

Goal: Show me all packets if smpp.command_id == 0x00000004 and smpp.command_id==0x00000004 or smpp.command_id==0x80000004

"-Y \"(smpp.command_id==0x00000004)||(smpp.command_id==0x80000004)||(smpp.command_id==0x00000005)||(smpp.command_id==0x80000005)\" -T fields -E header=y -E \"separator=|\",  -e frame.number -e frame.time -e smpp.sequence_number -e smpp.message_id -e _ws.col.Info -e smpp.source_addr_ton -e smpp.source_addr -e tcp.srcport -e ip.src -e smpp.dest_addr_ton -e smpp.destination_addr -esmpp.sm_length -e smpp.command_status -e tcp.dstport -e ip.dst >\""

Result: Works ok!

Goal: show me all packets that have diameter.avp.code == 444 AND ALSO e212.imsi == "334110120002361" 

-Y "(diameter.avp.code == 444)" -Y "(e212.imsi == "334110120002361")" - T fields -E header=y -E "separator=~",  -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e diameter.Session-Id -e diameter.Called-Station-Id -e e212.imsi

Result: FAIL it will return all packets that satisfy either one of the conditions, like an "OR" switch

Let's try with this

-Y "(diameter.avp.code == 444 && e212.imsi == "334110120002361")"

Result: FAIL Unknown command. The problem's located between the keyboard and the chair. Get out!

How can a build an AND connector for the tshark command line?

Thank you very much guys!

menticol's avatar
9
menticol
asked 2020-03-03 00:43:21 +0000
grahamb's avatar
23.8k
grahamb
updated 2020-03-03 15:16:18 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Are getting a syntax error when using && or just no packets returned?
If no packets, have you verified that there is a packet that's meeting both criteria?
Do you have access to the Wirehark GUI to test the filter expression?

Chuckc's avatar Chuckc (2020-03-03 01:07:08 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

It appears that you are working in a Windows cmd shell. It looks to be a quoting issue.

Did you try?

-Y "diameter.avp.code == 444 && e212.imsi == \"334110120002361\""

Not having a trace file like yours to test against I couldn't prove it provides your answer, but on my Windows system this filter did not cause an error.

Also when I tested with multiple -Y entries it does not appear to "OR" the two -Y filters. Instead only the last -Y filter gets applied.

Compare:

tshark -r MYCAP -Y "frame.number<5" -Y "frame.number<10"

with:

tshark -r MYCAP -Y "frame.number<10" -Y "frame.number<5"

Jim Young's avatar
196
Jim Young
answered 2020-03-03 04:02:14 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Almost certainly quoting the arguments is the issue. If you need double quotes in the argument then you can quote the whole parameter in single quotes, e.g.

'a single quoted thing with a "double quoted" part'
grahamb's avatar grahamb (2020-03-03 15:18:58 +0000) edit
more
  • delete

Thank you very much Jim, your solution worked like a charm. Sorry for the backslashes, these were a remain from the java program that is generating the batch files.

For everyone's reference, the working query is this:

-Y "diameter.avp.code == 444 && e212.imsi == "334110120002361"" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e diameter.Session-Id -e diameter.Called-Station-Id -e e212.imsi

Before marking the thread as closed, I have a small question please. I wonder why the diameter avp code is not quoted, but e21.imsi should be quoted?

PS: Also thanks for your contribution Graham and Bubbasnmp

menticol's avatar menticol (2020-03-03 17:12:07 +0000) edit
more
  • delete

https://www.wireshark.org/docs/dfref/...

diameter.avp.code   AVP Code    Unsigned integer, 4 bytes



https://www.wireshark.org/docs/dfref/...

e212.imsi   IMSI                     Character string


It is a string field.

Chuckc's avatar Chuckc (2020-03-03 18:20:17 +0000) edit
more
  • delete

@grahamb, does "double quotes within single quotes" work in Windows command-line interpreters? It's a common trick in UN*X shells, but does it also work with cmd.exe and PowerShell? (Where are the quoting rules in cmd.exe documented on docs.microsoft.com?)

Guy Harris's avatar Guy Harris (2020-03-03 18:23:46 +0000) edit
more
  • delete

@Guy Harris

Good catch, PowerShell does work with double quotes within single quotes (or vice-versa) but Cmd only handles single in double.

The PowerShell quoting rules are here, for those odd occasions when I have to use Cmd I usually pick an external site, e.g. here.

grahamb's avatar grahamb (2020-03-03 19:37:04 +0000) edit
more
  • delete
add a comment see more comments
0

To expand the answer a little more and for future reference, I leave you with the working examples I made using your suggestions:

"C:\Program Files\Wireshark\tshark"
-r "C:\Temp\172.27.242.215\Pcap\20191101_00_15-MIRR-BKP.pcap"
-Y "(gsm_old.localValue==46)&&(e164.msisdn=="525588420125")||(gsm_sms.tp-da=="5588420125")||(e164.msisdn=="526682370037")||(gsm_sms.tp-da=="6682370037")"
-T fields -E header=y -E "separator=~",
-e frame.number -e frame.time -e smpp.sequence_number -e smpp.message_id -e _ws.col.Info -e tcap.tid -e tcap.otid -e e164.msisdn -e gsm_sms.tp-da -e gsm_sms.sms_text
>"C:\Temp\172.27.242.215\Csv\20191101_00_15-MIRR-BKP.pcap.csv"

The parenthesis can also be used for single parameters

"C:\Program Files\Wireshark\tshark"
-r "C:\Temp\172.27.242.215\Pcap\20191104_11_55-MIRR-BKP.pcap"
-Y "(tcap.tid=="85:64")"
-w "C:\Temp\172.27.242.215\Csv\20191104_11_55-MIRR-BKP_caso_2.pcap" -F pcap

Thank you again Jim, grahamb and bubbasnmp for you input guys, without your help my project would have failed.

menticol's avatar
9
menticol
answered 2020-03-13 19:50:46 +0000
grahamb's avatar
23.8k
grahamb
updated 2020-03-14 14:02:44 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer