First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
-1

How to convert .pcap to text format for twamp without using tshark

If there is a way to display in key value pair , it's better. Tshark commands are of no use for twamp protocol. Tshark needs information about the way to decode for twamp protocol

meena's avatar
1
meena
asked 2018-08-13 12:10:52 +0000
grahamb's avatar
23.8k
grahamb
updated 2018-08-14 09:34:59 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Are you asking for a dissector for twamp protocol, or are there issues with twamp dissection?

Assuming twamp refers to Two-Way Active Measurement Protocol, then a dissector has been built in to Wireshark since version 2.6, so make sure you're using that version, or newer.

If your issue is with dissection of twamp can you share a capture file that illustrates the issue?

grahamb's avatar grahamb (2018-08-13 12:34:21 +0000) edit
more
  • delete

Yes twamp is exactly that. In the capture file, need to verify dscp value (that's why want in a key value pair display) . In the text format that I have got using tshark , doesn't parse such information.

meena's avatar meena (2018-08-13 17:09:26 +0000) edit
more
  • delete

So can you share a capture file so that we can help you get the tshark output you want, probably using -T fields -e xxx?

dscp doesn't seem to be a twamp field, so are you referring to the IP DSCP field?

grahamb's avatar grahamb (2018-08-13 17:36:32 +0000) edit
more
  • delete

Text from capture:

Frame 7: 
    Source Port: 62862
    Destination Port: 862
    [Stream index: 0]
     ...
TwoWay Active Measurement Control Protocol
    Control Command: Request-TW-Session (5)
    IP Version: 4
    .....
    Timeout: -2085978496.000000000 seconds
    Type-P Descriptor: 0x2e000000 (DSCP: 771751936)

this is the captured file. have to verify Type-P Descriptor: 0x2e000000. So is there a command to display in key value pair on CLI this .pcap file

meena's avatar meena (2018-08-13 18:04:04 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

Try using:

tshark -r your.pcap -T fields -e frame.number -e twamp.control.type-p
grahamb's avatar
23.8k
grahamb
answered 2018-08-14 09:33:09 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

Found following way to decode it in Wireshark itself without need of command line:

  1. Load the pcap file in Wireshark GUI
  2. Select the "Data Bytes" post "UDP Payload" of any TWAMP Test Frame
  3. Right Click and select "Decode As".
  4. Then add row(s) and mapping the UDP Source and/or Destination port used in Test Frame to "TWAMP.Test"

Using this method it started decoding the TWAMP Frames.

Wireshark version is use is 3.0.7.

PS: Do also ensure that you have enabled TWAMP-Test and TWAMP-Control protocol options from Menu-> "Analyze->Enabled Protocols"

Thanks and Regards Sajax

sajax's avatar
1
sajax
answered 2020-05-11 13:20:14 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer