First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark not showing diameter data

When I use wireshark program I can see all data related to diameter (AVP: Multiple-Services-Credit-Control, AVP: Service-Information, ... ), but when using tshark command I get only (Data (708 Bytes) and some HEX values).

Command I use when Capturing : sudo tcpdump -i eno1 host x.x.x.x -s0 -w test.pcap Command I use when displaying file(test.pcap):tshark - r test.pcap -q -V

Please send me the right configuration to get all diameter data readable not in HEX

Ahmad12345's avatar
1
Ahmad12345
asked 2018-07-19 09:18:35 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2018-10-26 17:49:22 +0000
edit flag offensive 0 remove flag close merge delete

Comments

You say the display in Wireshark is different, are you viewing the same capture file on the same machine as when using tshark?

grahamb's avatar grahamb (2018-07-19 09:21:14 +0000) edit
more
  • delete

I used wireshark program on windows to open (test.pcap) file and all field for diameter are shown, but when I use tshark command for the same file (test.pcap) on ubuntu server I get same results except for diameter field I (data size and Hex values for data).

Ahmad12345's avatar Ahmad12345 (2018-07-19 09:42:33 +0000) edit
more
  • delete

As you're running on different OS's you'll be using different profiles and probably different versions.

What's the Windows Wireshark version and Ubuntu tshark version?

What happens if you use tshark from a command prompt on Windows?

grahamb's avatar grahamb (2018-07-19 10:01:04 +0000) edit
more
  • delete

My wireshark version on windows (Version 2.2.5 (v2.2.5-0-g440fd4d)). On Ubuntu tshark (Wireshark) (Git v2.4.5 package as 2.4.5-1).

Thanks

Ahmad12345's avatar Ahmad12345 (2018-07-19 10:25:55 +0000) edit
more
  • delete

You could try installing 2.4.5 on Windows so we're at least comparing apples with apples. Note that that isn't the current stable version, that is 2.6.2 which was just released yesterday.

grahamb's avatar grahamb (2018-07-19 10:37:14 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

1

Your last comment has given the game away. You'll need to supply "Decode As" info to tshark, try something like:

tshark -r test.pcap -d tcp.port==40201,diameter.3gpp -q -V

Adjusting as required for your diameter type (use tshark -d . to see what's supported in your version) and protocol it's running over (might be SCTP). This is presuming that tshark 2.4.5 has the -d parameter.

grahamb's avatar
23.8k
grahamb
answered 2018-07-19 10:59:59 +0000
edit flag offensive 0 remove flag delete link
more

Comments

It worked, Thanks very much. But I have to use -d tcp.port==40201,diameter without(.3gpp).

Ahmad12345's avatar Ahmad12345 (2018-07-19 11:09:04 +0000) edit
more
  • delete

If an answer has solved your issue please accept it, for the benefit of others who might have the same issue, by clicking the "checkmark" icon next to the answer.

grahamb's avatar grahamb (2018-07-19 11:46:19 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer