First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Definition of dissector_rfc

Hi everyone, I'm using tshark to decode AVP of a Diameter file by a command:

tshark -r Diameter.pcap -T fields -e "diameter.Subscription-Id" >/dev/null 2>&1

"diameter.Subscription-Id" just to make sure that tshark go through the dissector of AVP and I can get values of all AVPs. The size of file is about 800 MB, so it takes time with output printed on screen and run at 100% CPU. So I change the command:

tshark -r Diameter.pcap >/dev/null 2>&1

In this way, it 's faster but tshark doesn't go through some AVPs. I tried to read the source code and found the differrence of two commands:

dissect_diameter_avp(...)
{
  ....
  avp_str = a->dissector_rfc(c,a,subtvb, diam_sub_dis_inf); 
  ....
}

Tshark goes to dissector_rfc in both of cases but in the first command, avp_str has value while it is NULL in the second command. I tried to find how dissector_rfc works but found nothing in source code. So please help if you have an experience on the source code:

  • How can I find the definition of dissector_rfc in the source code? In this way, I can change the code make avp_str is not NULL with the second command.
  • Is it able to force tshark to go to AVP without printing output (to make it faster)?
hoangsonk49's avatar
81
hoangsonk49
asked 2022-09-07 11:01:16 +0000, updated 2022-09-07 11:12:36 +0000
edit flag offensive 0 remove flag close merge delete

Comments

There are several places in packet-diameter.c where a->dissector_rfc is assigned a value.

Have you looked at the AVP statistics tshark (man page) can provide with
-z diameter,avp[,cmd.code,field,field,…​] ?

Chuckc's avatar Chuckc (2022-09-07 14:18:24 +0000) edit
more
  • delete

Thank Chuckc for your advice. I tried AVP statistics but it's very slow. The input of dissector_rfc are (c,a,subtvb, diam_sub_dis_inf) but I don't know how it works so cannot change these values. Do you know where dissector_rfc defined?

hoangsonk49's avatar hoangsonk49 (2022-09-08 09:49:50 +0000) edit
more
  • delete

packet-diameter.c#L1826:

    if (code<256) {
        a->dissector_rfc = address_radius_avp;
    } else {
        a->dissector_rfc = address_rfc_avp;
    }


It's also set in build_proto_avp(), build_simple_avp() and build_appid_avp().

Chuckc's avatar Chuckc (2022-09-08 13:46:48 +0000) edit
more
  • delete

Thank Chuck about your suggestion. I tried but got the same results in both cases

hoangsonk49's avatar hoangsonk49 (2022-09-08 14:31:40 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

1

Hi, I think the problem is if we have a tree or not; there is plenty of if(c->tree). In the second example, no tree is built if I'm not mistaken. Hence it goes faster but does not print any information. Best regards Anders

Anders's avatar
5k
Anders
answered 2022-09-08 14:16:02 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2022-09-08 14:40:57 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Yes, Anders. I run some debugs and the results show the differrent values of tree (NULL and not NULL). Is there any way (command option, changing code ...) to force tshark to dissect all AVPs in Diameter (only Diameter) ? Thanks !

hoangsonk49's avatar hoangsonk49 (2022-09-08 14:36:35 +0000) edit
more
  • delete

Not that I know of.

Anders's avatar Anders (2022-09-09 05:33:54 +0000) edit
more
  • delete

Possibly the if("tree") should be removed as we have other optimizations now.

Anders's avatar Anders (2022-09-09 05:35:29 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer