THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Diameter 'Answer In'/'Request In' fields not available with tshark/pyshark

Hi All,

I am using pyshark (a Python wrapper for tshark) to analyse traffic capture files, and I ran into a problem around finding Diameter Common Messages request/answer pairs.

The Wireshark GUI helps identifying the answer to a specific Diameter request packet with the field called Answer In. The Request In field helps the other way around. See the Wireshark Diameter Protocol Display Filter Reference, diameter.answer_in and diameter.answer_to field names.

Using the above information makes it easy to construct display filters in the Wireshark GUI for selecting specific request/answer pairs. Unfortunately, when using the tshark CLI on the same capture file, this field seems to be missing.

tshark -r d:/test.pcapng -Y diameter.answer_in  # Works in Wireshark GUI, not in tshark

What do I need to use these field names for filtering capture files with tshark?

My tshark version is: TShark (Wireshark) 2.9.0 (v2.9.0-0-gf4238cd2)

Many thanks, Bence

Bence's avatar
3
Bence
asked 2019-05-16 15:28:37 +0000
edit flag offensive 0 remove flag close merge delete

Comments

2.9 is a development version, you should upgrade to the stable release 3.0 if you can.

grahamb's avatar grahamb (2019-05-16 16:01:24 +0000) edit
more
  • delete

I did have the 3.0 version, but had to downgrade because it broke something with pyshark. Can't recall what it was exactly, maybe it is fixed now in pyshark, will give it another try later. Thanks

Bence's avatar Bence (2019-05-16 22:18:51 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

1

Some fields, and particularly the answer_in field here requires a 2nd pass over the capture as the "answer" packet hasn't been dissected when the request is being dissected.

Try adding the -2 flag to tshark.

grahamb's avatar
23.8k
grahamb
answered 2019-05-16 16:00:35 +0000
edit flag offensive 0 remove flag delete link
more

Comments

That did it, appreciate the help. Cheers

Bence's avatar Bence (2019-05-16 22:17:19 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer