Revision history  [back]

Hey guys! I'm using tshark as part of a batch process to examine hundreds of .pcap files.

Let me show you some examples of what I'm trying to do:

Hey guys! I'm using tshark as part of a batch process to examine hundreds of .pcap files.

Let me show you some examples of what I'm trying to do:

• Goal: Show all packets related with the 444 event

"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\loggers\TRACES\DCCS\Pcap\20200301_00_00-DCCS-ONE.pcap" -Y "diameter.avp.code == 444" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e diameter.Session-Id -e diameter.Called-Station-Id -e e212.imsi>"C:\Temp\172.27.241.107\loggers\TRACES\DCCS\Csv\20200301_00_00-DCCS-ONE.pcap.csv"

Result: Works ok!

• Goal: Show me all packets if smpp.command_id == 0x00000004 and smpp.command_id==0x00000004 or smpp.command_id==0x80000004

"-Y \"(smpp.command_id==0x00000004)||(smpp.command_id==0x80000004)||(smpp.command_id==0x00000005)||(smpp.command_id==0x80000005)\" -T fields -E header=y -E \"separator=|\", -e frame.number -e frame.time -e smpp.sequence_number -e smpp.message_id -e _ws.col.Info -e smpp.source_addr_ton -e smpp.source_addr -e tcp.srcport -e ip.src -e smpp.dest_addr_ton -e smpp.destination_addr -esmpp.sm_length -e smpp.command_status -e tcp.dstport -e ip.dst >\""

Result: Works ok!

• Goal: show me all packets that have diameter.avp.code == 444 AND ALSO e212.imsi == "334110120002361"

-Y "(diameter.avp.code == 444)" -Y "(e212.imsi == "334110120002361")" - T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e diameter.Session-Id -e diameter.Called-Station-Id -e e212.imsi

Result: FAIL it will return all packets that satisfy either one of the conditions, like an "OR" switch

• Let's try with this

-Y "(diameter.avp.code == 444 && e212.imsi == "334110120002361")"

Result: FAIL Unknown command. The problem's located There's a problem between the keyboard and the chair. Get out!chair

How can a build an AND connector for the tshark command line?

Thank you very much guys!

Hey guys! I'm using tshark as part of a batch process to examine hundreds of .pcap files.

Let me show you some examples of what I'm trying to do:

"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\loggers\TRACES\DCCS\Pcap\20200301_00_00-DCCS-ONE.pcap" -Y "diameter.avp.code == 444" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e diameter.Session-Id -e diameter.Called-Station-Id -e e212.imsi>"C:\Temp\172.27.241.107\loggers\TRACES\DCCS\Csv\20200301_00_00-DCCS-ONE.pcap.csv"

Result: Works ok!

"-Y \"(smpp.command_id==0x00000004)||(smpp.command_id==0x80000004)||(smpp.command_id==0x00000005)||(smpp.command_id==0x80000005)\" -T fields -E header=y -E \"separator=|\", -e frame.number -e frame.time -e smpp.sequence_number -e smpp.message_id -e _ws.col.Info -e smpp.source_addr_ton -e smpp.source_addr -e tcp.srcport -e ip.src -e smpp.dest_addr_ton -e smpp.destination_addr -esmpp.sm_length -e smpp.command_status -e tcp.dstport -e ip.dst >\""

Result: Works ok!

Hey guys! I'm using tshark as part of a batch process to examine hundreds of .pcap files.

Let me show you some examples of what I'm trying to do:

Show me all packets related with the 444 event-------------------------------------------------------------------event

"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\loggers\TRACES\DCCS\Pcap\20200301_00_00-DCCS-ONE.pcap" -Y "diameter.avp.code == 444" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e diameter.Session-Id -e diameter.Called-Station-Id -e e212.imsi>"C:\Temp\172.27.241.107\loggers\TRACES\DCCS\Csv\20200301_00_00-DCCS-ONE.pcap.csv"

Result: Works ok!

Now, show Show me all packets if smpp.command_id == 0x00000004 and smpp.command_id==0x00000004 or smpp.command_id==0x80000004-------------------------------------------------------------------smpp.command_id==0x80000004

Translated as:

"-Y \"(smpp.command_id==0x00000004)||(smpp.command_id==0x80000004)||(smpp.command_id==0x00000005)||(smpp.command_id==0x80000005)\" -T fields -E header=y -E \"separator=|\", -e frame.number -e frame.time -e smpp.sequence_number -e smpp.message_id -e _ws.col.Info -e smpp.source_addr_ton -e smpp.source_addr -e tcp.srcport -e ip.src -e smpp.dest_addr_ton -e smpp.destination_addr -esmpp.sm_length -e smpp.command_status -e tcp.dstport -e ip.dst >\""

Result: Works ok!

Good, now show Show me all packets that have diameter.avp.code == 444 AND ALSO e212.imsi == "334110120002361" -------------------------------------------------------------------

-Y "(diameter.avp.code == 444 && e212.imsi == "334110120002361")"

Result: FAIL There's a problem between the keyboard and the chair

-Y "(diameter.avp.code == 444)" -Y "(e212.imsi == "334110120002361")" - T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e diameter.Session-Id -e diameter.Called-Station-Id -e e212.imsi

Result: FAIL it will return all packets that satisfy either one of the conditions

How can a build an AND connector for the tshark command line?

Thank you very much guys!