First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Different output between tshark and wireshark

  • retag add tags

Hi, I was trying to match some diameter dialogues and I realized that tshark does not decode some packets while wireshark it does.

This is the file https://www.dropbox.com/s/msrsr9uwukd...

I tried either with -2 or without

tshark -V -2 -r 333b.pcapng

No Diameter is found.

Whireshark Version 4.0.1 (v4.0.1-0-ge9f3970b1527).

Check screenshot of decoded file:

https://www.dropbox.com/s/b8yeit4pz6l...

The wireshark configuration for Diameter protocol is:

Reassemble Diameter messages spanning multiple TCP segments -> flagged

TCP ports : 3000-3867,3869-3999

SCTP port(s) : 3868

Alessandro's avatar
1
Alessandro
asked 2022-11-15 20:50:57 +0000, updated 2022-11-16 09:21:22 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Put it on a public fileshare (Dropbox, Google, Onedrive, ...) and update the description with a link to it.

Chuckc's avatar Chuckc (2022-11-15 21:24:23 +0000) edit
more
  • delete

Please provide the tshark command you are using. Specifically, I'm wondering if you are you including the -2 option or not. Also, please also provide the version information from tshark -v.

cmaynard's avatar cmaynard (2022-11-15 22:37:03 +0000) edit
more
  • delete

No Diameter is found.

No Diameter is found when I open it in

Wireshark 4.0.1 (v4.0.1-0-ge9f3970b1527).

Copyright 1998-2022 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using Clang 11.0.0 (clang-1100.0.33.16), with GLib 2.68.4,
with PCRE2, with zlib 1.2.11, with Qt 6.2.4, with libpcap, without POSIX
capabilities, with Lua 5.2.4, with GnuTLS 3.6.15 and PKCS #11 support, with
Gcrypt 1.8.7, with Kerberos (MIT), with MaxMind, with nghttp2 1.46.0, with
brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.9, with libsmi
0.4.8, with ...
(more)
Guy Harris's avatar Guy Harris (2022-11-16 08:14:06 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

1

Are you using the sameDefault profile in Wireshark?
Make a custom profile and uncheck Analyze TCP sequence numbers in the TCP Preferences.
Then specify that profile on the tshark command line with the -C option.

Downloads$ tshark -r ./333b.pcapng -C Ask_Diameter
    1   0.000000     10.9.9.9 → 10.10.10.10  TCP 2868 3868 → 33422 [ACK] Seq=2217234530 Ack=773019158 Win=32586 Len=2800 TSval=665039809 TSecr=2437547668 [TCP segment of a reassembled PDU]
    2   0.000034     10.9.9.9 → 10.10.10.10  TCP 2868 3868 → 33422 [ACK] Seq=2217238730 Ack=773019158 Win=32586 Len=2800 TSval=665039809 TSecr=2437547668 [TCP segment of a reassembled PDU]
    3   0.000044     10.9.9.9 → 10.10.10.10  TCP 892 3868 → 33422 [PSH, ACK] Seq=2217241530 Ack=773019158 Win=32586 Len=824 TSval=665039809 TSecr=2437547668 [TCP segment of a reassembled PDU]
    4   0.000028     10.9.9.9 → 10.10.10.10  DIAMETER/XML 1468 cmd=User-Data Answer(306) flags=-P-- appl=3GPP Sh(16777217) h2h=13b8ff6 e2e=3831ef6 |

Downloads$ tshark -r ./333b.pcapng
    1   0.000000 3868     10.9.9.9 33422 10.10.10.10  TCP 2868 10.9.9.9,10.10.10.10  3868 → 33422 [ACK] Seq=1 Ack=1 Win=32586 Len=2800 TSval=665039809 TSecr=2437547668 [TCP segment of a reassembled PDU]
    2   0.000034 3868     10.9.9.9 33422 10.10.10.10  TCP 2868 10.9.9.9,10.10.10.10  [TCP Previous segment not captured] 3868 → 33422 [ACK] Seq=4201 Ack=1 Win=32586 Len=2800 TSval=665039809 TSecr=2437547668 [TCP segment of a reassembled PDU]
    3   0.000044 3868     10.9.9.9 33422 10.10.10.10  TCP 892 10.9.9.9,10.10.10.10  3868 → 33422 [PSH, ACK] Seq=7001 Ack=1 Win=32586 Len=824 TSval=665039809 TSecr=2437547668 [TCP segment of a reassembled PDU]
    4   0.000028 3868     10.9.9.9 33422 10.10.10.10  TCP 1468 10.9.9.9,10.10.10.10  [TCP Retransmission] 3868 → 33422 [ACK] Seq=2801 Ack=1 Win=32586 Len=1400 TSval=665039809 TSecr=2437547668

Downloads$ tshark -v | head -1
TShark (Wireshark) 4.0.1 (v4.0.1-0-ge9f3970b1527).
Chuckc's avatar
3k
Chuckc
answered 2022-11-16 14:11:20 +0000, updated 2022-11-16 14:11:56 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks !!!!! Specifying the profile fixed the problem :-)

Alessandro's avatar Alessandro (2022-11-16 14:15:56 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer