THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark does not filter packets inside docker container

We have a situation where tshark command runs fine and filters a pcap file. But the same command fails to run within the docker container running in kubernetes.

Here is the command in question.

tshark -n -r input.pcap -w output.pcap -Y "diameter.Bearer-Identifier == 05"

Details CentOS Linux release 7.5.1804 (Core) tcpdump version 4.9.2 libpcap version 1.5.3 OpenSSL 1.0.2k-fips 26 Jan 2017 TShark 1.10.14 (Git Rev Unknown from unknown)

Please respond if any one has faced similar situation.

Abhi's avatar
1
Abhi
asked 2020-03-19 11:34:25 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

The version of tshark (1.10.14) you're running is too old.

As you can see from the Wireshark Display Filter field reference the field diameter.Bearer-Identifier was only introduced in 1.2.2

grahamb's avatar
23.8k
grahamb
answered 2020-03-19 12:15:54 +0000
edit flag offensive 0 remove flag delete link
more

Comments

The AVP is defined in the dictionary.xml and it works outside the container. When we run the same command inside docker it does not filter it out!

Abhi's avatar Abhi (2020-03-20 03:37:49 +0000) edit
more
  • delete
add a comment see more comments
0

Found the root cause of this problem. Inside the container the diameter agent was running on a non default port. Hence it wasn't filtering the files. The version of tshark wasn't an issue.

tshark -d tcp.port==<your-port>,diameter -n -r input.pcap -w output.pcap -Y "diameter.Bearer-Identifier == 05"

Abhi's avatar
1
Abhi
answered 2020-03-20 12:17:59 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer