First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

how to use tshark to divide a packet into several records?

I have encountered a problem where I used tshark to extract a packet like that:

Internet Protocol Version 4, Src: 192.168.0.33, Dst: 192.168.0.15
Transmission Control Protocol, Src Port: 179, Dst Port: 2124, Seq: 49, Ack: 265
Border Gateway Protocol - UPDATE Message
    ...
    Path attributes
        ...
        Path Attribute - AS_PATH: 1 2
        ...
Border Gateway Protocol - UPDATE Message
    ...
    Path attributes
        ...
        Path Attribute - AS_PATH: 1 3
        ...
Border Gateway Protocol - UPDATE Message
    ...
    Path attributes
        ...
        Path Attribute = AS_PATH: 2 4
        ...

when I use a command like tshark -r a.cap -e bgp.update.path_attribute.as_path_segment.as4 ..., I get a result like "1 2 1 3 2 4", which is not what I want. I am confused how to use tshark so that I can get results like "1 2","1 3","2 4" as three records?

godbless2you's avatar
3
godbless2you
asked 2019-02-13 12:59:08 +0000, updated 2019-02-15 00:25:07 +0000
edit flag offensive 0 remove flag close merge delete

Comments

I assume you use -T as well? Have you looked into -E, the field print options?

Jaap's avatar Jaap (2019-02-13 13:47:24 +0000) edit
more
  • delete

Thanks a lot for your reply. I use parameter -T and don't use parameter "-E", but according to the user guide by default it will use "-E aggregator=,", which means that it results in the output like "1,2,1,3,2,4". In this case, I can't distinguish which items belongs to the same message. It may be divided into three parts like "1,2","1","3,2,4", or others. Therefore I think this parameter can't help me solve my problem. Looking forward to your reply again.

godbless2you's avatar godbless2you (2019-02-14 02:13:08 +0000) edit
more
  • delete

Have you tried working with -E quote=... as well? Otherwise I would have to look into how the output of values you referenced are being produced (if I can find a BGP capture like this) and see what the code is.

Jaap's avatar Jaap (2019-02-14 07:16:48 +0000) edit
more
  • delete

The parameter "-E quote" is used to defined the character used to surround fields, which means that when you use command like "-E quote=s" you will get a result like:

'time' '1' '1,2' ...

It doesn't work inside fields, so I don't think it can solve my problem. I try to upload a sample but unfortunately I don't have enough points to do that. Here is another sample called BGP_AS_set.cap. After you download it, you can try using tshark to extract the AS_PATH and see if you can get the right result that "30" belongs to the AS_SEQUENCE and "{10,20}" belongs to the AS_SET. Please show me your command if you make it success.

Here is my simplified code (some -e fields are ignored):

tshark -r a.cap -Y "bgp.type==2" -T fields -E quote=d

-e ip.src -e ip.dst -e ... (more)

godbless2you's avatar godbless2you (2019-02-14 07:44:29 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

You assume that the AS's in a path segment are being processed as a set. But what you ask for is the 'as4', or in your later example 'as2' fields (bgp.update.path_attribute.as_path_segment.as2) . When you look at the packet in detail you'll see that each AS4, and AS2, field is added individually to the tree; each is handled individually and therefore shown as such. At that field level there is no notion of groups or sets.

One level up though is where the the grouping comes into view. The AS Path Segment item in the tree nicely shows the collection of AS's in that path segment. So it would be nice if we could use bgp.update.path_attribute.as_path_segment. Unfortunately this item is of type FT_NONE, thus has no value. It is merely a hook to append text to. If you use that as a field to output you'll only be informed of the presence of the item, by means of a 1 in the output.

What seems to be lacking here is assigning some value (a string from the looks of it) to this tree item, so that it can be used as such, producing useable output when used as a field in the output. So in short, no this is currently not possible. I'm not even sure that it is possible at all. It would be an enhancement of the BGP dissector to be looked into.

Jaap's avatar
13.7k
Jaap
answered 2019-02-14 20:56:52 +0000, updated 2019-02-14 20:58:01 +0000
edit flag offensive 0 remove flag delete link
more

Comments

A quick hack shows that it may be possible after all. Needs more work though to definitively say so.

Jaap's avatar Jaap (2019-02-14 22:54:01 +0000) edit
more
  • delete

Much thanks for your quick reply.

I read the Wireshark developer's guide v2.9.1 and found that it did work that way you mentioned.

Maybe what I do is to modify and write my own code based on the Wireshark source code.

Thanks again for your help!

godbless2you's avatar godbless2you (2019-02-15 00:20:11 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer