Getting blank data for e212.imsi field while using tshark

Hi I;m using tshark to filter some of the required fields, where as the field "e212.imsi" is giving blank data. can anyone please help.

Gopi's avatar
1
Gopi
asked 2022-05-03 13:55:20 +0000
edit flag offensive 0 remove flag close merge delete

Comments

There is a pcap attached to GTPv2: IMSI is decoded improperly. What do you get with:

Downloads$ tshark -r ./gtp.pcap -T fields -e e212.imsi -e e212.mcc -e e212.mnc
123456789056789 123,123 456,456
Chuckc's avatar Chuckc (2022-05-03 15:21:06 +0000) edit
more
  • delete

Hi @Chuckc, used your test pcap, pasting the below out. $ tshark -r ./gtp.pcap -T fields -e e212.imsi -e e212.mcc -e e212.mnc 250,250,123 3,3,456

im using tshark on amazon linux2 box, and the tshark version is TShark 1.10.14

Gopi's avatar Gopi (2022-05-29 06:23:34 +0000) edit
more
  • delete

That's a really old version of tshark. If an upgrade package is not available you may have to build from source.

Chuckc's avatar Chuckc (2022-05-29 16:47:57 +0000) edit
more
  • delete

But when I try to update the package it say its the latest version.. $ sudo yum install wireshark Loaded plugins: extras_suggestions, langpacks, priorities, update-motd https://download.docker.com/linux/cen...: [Errno 14] HTTPS Error 404 - Not Found Trying other mirror. Package wireshark-1.10.14-24.amzn2.x86_64 already installed and latest version Nothing to do

Do you think I should use any other source. Thanks in advance..

Gopi's avatar Gopi (2022-05-31 06:45:28 +0000) edit
more
  • delete
add a comment see more comments