THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Tshark: Get multiple ocurrences with same field value

Hi guys!

Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.

Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.

No. | Time | Source | Destination | Protocol | Length | Info

 1  2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

2   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | 

3   2020-04-03 19:15:07.755864  172.27.241.161  172.27.241.171  DIAMETER    1686    cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |

Now let's expand packet number one.

Diameter Protocol
    Version: 0x01

... (tens of lines deleted to save post space) ...

AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org

... (tens of lines deleted to save post space) ...

AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-

OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:

AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
    AVP Code: 456 Multiple-Services-Credit-Control
    AVP Flags: 0x40, Mandatory: Set
    AVP Length: 104
    Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…

Now let's click the 000001be400000440000 node:

AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)

And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:

AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25

At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files

 "C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e ...
(more)
menticol's avatar
9
menticol
asked 2020-04-17 23:59:56 +0000, updated 2020-04-20 18:56:51 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Have you looked at using one of the other output formats?

   -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?
                           format of text output (def: text)

Then process as needed with a script (grep, sed, awk, cut, ....) or with a "little java program" as you mentioned.

Chuckc's avatar Chuckc (2020-04-18 01:44:54 +0000) edit
more
  • delete

So what format do you want?

From your complaint about "a wonderful one hundred character long line" it sounds as if you want the line split. The line in question, however, isn't "93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.", it's all the values of all the fields on one line, with "~" separating the values for different fields, and with "," separating the values for a given field.

How do you want that split?

Guy Harris's avatar Guy Harris (2020-04-18 07:11:59 +0000) edit
more
  • delete

Thank you for your answers Bubbasnmp and Guy Harris. Tried with the output formats Bubba suggested, but even with other formats the field value is the same (btw, I didn't know tshark was capable of that formatting, awesome!). About Guy Harris comment, I'm sorry if I didn't express myself correctly, tshark is doing its job, pretty sure the problem is between the keyboard and the chair. I would like to show all of you the pcap file. Is there a way I can upload it without violating wireshark.org forum rules?

menticol's avatar menticol (2020-04-20 18:45:01 +0000) edit
more
  • delete

Ok I just went ahead and uploaded an external link, if this is not allowed please let me know to take it down

menticol's avatar menticol (2020-04-20 18:52:51 +0000) edit
more
  • delete

A link to an external external storage is fine, as long as it's publicly accessible.

Jaap's avatar Jaap (2020-04-20 19:06:06 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

1
tshark -r ./resultado_334110010009868.pcap -T json -Y "diameter.Used-Service-Unit == 00:00:01:a4:40:00:00:0c:00:00:00:78:00:00:01:a5:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9c:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9e:40:00:00:10:00:00:00:00:00:00:00:00" | grep -e diameter.CC-Time -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.Rating-Group | sed -e "/Rating-Group/s/$/\t/" | tr -d '\n' | tr '\t' '\n' | sed -e "s/ *//g" -e "s/\":\"/=/g" | sed -e "s/\"\"/ /g"

<snip>
"diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=3"
"diameter.CC-Input-Octets=348 diameter.CC-Output-Octets=0 diameter.Rating-Group=2"
"diameter.CC-Input-Octets=896 diameter.CC-Output-Octets=3552 diameter.Rating-Group=1"
"diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=25"
"diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=10"
"diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=8"
"diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=3"
"diameter.CC-Input-Octets=348 diameter.CC-Output-Octets=0 diameter.Rating-Group=2"
"diameter.CC-Input-Octets=40 diameter.CC-Output-Octets=135 diameter.Rating-Group=1"
Chuckc's avatar
3k
Chuckc
answered 2020-04-20 22:03:36 +0000
edit flag offensive 0 remove flag delete link
more

Comments

The post processing would be better handled in a script or program that does data validation and error checking.

Chuckc's avatar Chuckc (2020-04-20 22:06:27 +0000) edit
more
  • delete

I'm very sorry for taking so long guys. Thank you Bubbasnmp, your solution was much more elegant, but since I'm working on Windows I was not able to use grep commands. However your idea pointed me in the right direction with (you guessed it) my little java script!

I ended up making a table and copying all values over and over again (packet number, date, etc), replacing only the ones that changed.

https://www.dropbox.com/s/ykrknayyuj9...

In the cases where I did not have data to fill the space, I put a zero.

I really appreciate your time guys, stay safe

menticol's avatar menticol (2020-04-22 20:00:01 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer