Revision history [back]
Tshark: Get multiple ocurrences with same field value
Hi guys!
Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.
Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.
No. | Time | Source | Destination | Protocol | Length | Info
1 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
2 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
3 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
Now let's expand packet number one.
Diameter Protocol
Version: 0x01
... (tens of lines deleted to save post space) ...
AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
... (tens of lines deleted to save post space) ...
AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP Code: 456 Multiple-Services-Credit-Control
AVP Flags: 0x40, Mandatory: Set
AVP Length: 104
Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…
Now let's click the 000001be400000440000 node:
AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)
And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:
AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25
At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files
"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv
Perhaps not. Tshark will work but will throw the results in a terrible manner:
Request
frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group
Response
1~
Apr 3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3
I'm not implying it's tshark's fault. Tshark is doing its job fine, I think is just combining all occurrences of:
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
So, tshark just combined the results of all occurrences into a wonderful one hundred character long line
93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.
I tried to make a little java program to split the line into human-readable parameter, but still
Please, how could I get all the occurrences of my desired field values?
EDIT: Thank you Bubbasnmp and Guy Harris for your comments. I was not able to upload the .pcap file (60 points required) so I included an external link, hope this doesn't violate the forum rules
https://www.dropbox.com/s/hlykq2v409l0x0e/resultado_334110010009868.pcap?dl=0
As a shortcut to get the desired field example please use this filter
diameter.Used-Service-Unit == 00:00:01:a4:40:00:00:0c:00:00:00:78:00:00:01:a5:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9c:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9e:40:00:00:10:00:00:00:00:00:00:00:00
On my example the separated values I would like to get are:
diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=25
...Instead of the current combined 120,120,120,120
I hope this helps to better explain myself
Tshark: Get multiple ocurrences with same field value
Hi guys!
Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.
Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.
No. | Time | Source | Destination | Protocol | Length | Info
1 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
2 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
3 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
Now let's expand packet number one.
Diameter Protocol
Version: 0x01
... (tens of lines deleted to save post space) ...
AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
... (tens of lines deleted to save post space) ...
AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP Code: 456 Multiple-Services-Credit-Control
AVP Flags: 0x40, Mandatory: Set
AVP Length: 104
Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…
Now let's click the 000001be400000440000 node:
AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)
And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:
AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25
At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files
"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv
Perhaps not. Tshark will work but will throw the results in a terrible manner:
Request
frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group
Response
1~
Apr 3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3
I'm not implying it's tshark's fault. Tshark is doing its job fine, I think is just combining all occurrences of:
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
So, tshark just combined the results of all occurrences into a wonderful one hundred character long line
93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.
I tried to make a little java program to split the line into human-readable parameter, but still
Please, how could I get all the occurrences of my desired field values?
Thank you and I'm sorry for the tedious post
EDIT: Thank you Bubbasnmp and Guy Harris for your comments. I was not able to upload the .pcap file (60 points required) so I included an external link, hope this doesn't violate the forum rules
https://www.dropbox.com/s/hlykq2v409l0x0e/resultado_334110010009868.pcap?dl=0
As a shortcut to get the desired field example please use this filter
diameter.Used-Service-Unit == 00:00:01:a4:40:00:00:0c:00:00:00:78:00:00:01:a5:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9c:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9e:40:00:00:10:00:00:00:00:00:00:00:00
On my example the separated values I would like to get are:
diameter.CC-Time=120 diameter.CC-Total-Octets=0 diameter.CC-Input-Octets=0 diameter.CC-Output-Octets=0 diameter.Rating-Group=25
...Instead of the current combined 120,120,120,120
I hope this helps to better explain myself
Tshark: Get multiple ocurrences with same field value
Hi guys!
Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.
Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.
No. | Time | Source | Destination | Protocol | Length | Info
1 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
2 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
3 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
Now let's expand packet number one.
Diameter Protocol
Version: 0x01
... (tens of lines deleted to save post space) ...
AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
... (tens of lines deleted to save post space) ...
AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP Code: 456 Multiple-Services-Credit-Control
AVP Flags: 0x40, Mandatory: Set
AVP Length: 104
Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…
Now let's click the 000001be400000440000 node:
AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)
And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:
AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25
At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files
"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv
Perhaps not. Tshark will work but will throw the results in a terrible manner:
Request
frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group
Response
1~
Apr 3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3
I'm not implying it's tshark's fault. Tshark is doing its job fine, I think is just combining all occurrences of:
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
So, tshark just combined the results of all occurrences into a wonderful one hundred character long line
93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.
I tried to make a little java program to split the line into human-readable parameter, but still
Please, how could I get all the occurrences of my desired field values?
Thank you and I'm sorry for the tedious post
EDIT: Thank you Bubbasnmp and Guy Harris for your comments. I was not able to upload the .pcap file (60 points required) so I included an external link, hope this doesn't violate the forum rules
https://www.dropbox.com/s/hlykq2v409l0x0e/resultado_334110010009868.pcap?dl=0
As a shortcut to get the desired field example please use this filter
diameter.Used-Service-Unit == 00:00:01:a4:40:00:00:0c:00:00:00:78:00:00:01:a5:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9c:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9e:40:00:00:10:00:00:00:00:00:00:00:00
On my example the correct values I would like to get are:should be:
diameter.CC-Time=120
diameter.CC-Total-Octets=0
diameter.CC-Input-Octets=0
diameter.CC-Output-Octets=0
diameter.Rating-Group=25
...Instead of 120,120,120,120
I hope this helps to better explain myselfdiameter.CC-Total-Octets=0
Tshark: Get multiple ocurrences with same field value
Hi guys!
Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.
Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.
No. | Time | Source | Destination | Protocol | Length | Info
1 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
2 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
3 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
Now let's expand packet number one.
Diameter Protocol
Version: 0x01
... (tens of lines deleted to save post space) ...
AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
... (tens of lines deleted to save post space) ...
AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP Code: 456 Multiple-Services-Credit-Control
AVP Flags: 0x40, Mandatory: Set
AVP Length: 104
Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…
Now let's click the 000001be400000440000 node:
AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)
And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:
AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25
At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files
"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv
Perhaps not. Tshark will work but will throw the results in a terrible manner:
Request
frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group
Response
1~
Apr 3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3
I'm not implying amplying it's tshark's fault. Tshark is doing its job fine, I think is just combining all fault, it makes sense remember at the beginning of this post, we have multiple occurrences of:of
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
So, tshark just combined the results of all occurrences into a wonderful one hundred character long line
93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.
I tried to make a little java program to split the line into human-readable human readable parameter, but stillstill, is non-sense.
Please, how could I get all the occurrences of my desired field values?
Thank you and I'm sorry for the tedious post
EDIT: Thank you Bubbasnmp and Guy Harris for your comments. I was not able to upload the .pcap file (60 points required) so I included an external link, hope this doesn't violate the forum rules
https://www.dropbox.com/s/hlykq2v409l0x0e/resultado_334110010009868.pcap?dl=0
As a shortcut to get the desired field example please use this filter
diameter.Used-Service-Unit == 00:00:01:a4:40:00:00:0c:00:00:00:78:00:00:01:a5:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9c:40:00:00:10:00:00:00:00:00:00:00:00:00:00:01:9e:40:00:00:10:00:00:00:00:00:00:00:00
On my example the correct values should be:
diameter.CC-Time=120 diameter.CC-Total-Octets=0
Tshark: Get multiple ocurrences with same field value
Hi guys!
Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.
Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.
No. | Time | Source | Destination | Protocol | Length | Info
1 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
2 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
3 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
Now let's expand packet number one.
Diameter Protocol
Version: 0x01
... (tens of lines deleted to save post space) ...
AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
... (tens of lines deleted to save post space) ...
AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP Code: 456 Multiple-Services-Credit-Control
AVP Flags: 0x40, Mandatory: Set
AVP Length: 104
Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…
Now let's click the 000001be400000440000 node:
AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)
And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:
AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25
At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files
"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv
Perhaps not. Tshark will work but will throw the results in a terrible manner:
Request
frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group
Response
1~
Apr 3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3
I'm not amplying it's tshark's fault, it makes sense remember at the beginning of this post, we have multiple occurrences of
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
So, tshark just combined the results of all occurrences into a wonderful one hundred character long line
93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.
I tried to make a little java program to split the line into human readable parameter, but still, is non-sense.
Please, how could I get all the occurrences of my desired field values?
Thank you and I'm sorry for the tedious post
Tshark: Get multiple ocurrences with same field value
Hi guys!
Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.
Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.
No. | Time | Source | Destination | Protocol | Length | Info
2 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
3 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
Now let's expand packet number one.
Diameter Protocol
Version: 0x01
... (tens of lines deleted to save post space) ...
AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
... (tens of lines deleted to save post space) ...
AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP Code: 456 Multiple-Services-Credit-Control
AVP Flags: 0x40, Mandatory: Set
AVP Length: 104
Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…
Now let's click the 000001be400000440000 node:
AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)
And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:
AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25
At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files
"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv
Perhaps not. Tshark will work but will throw the results in a terrible manner:
Request
frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group
Response
1~
Apr 3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3
I'm not amplying it's tshark's fault, it makes sense remember at the beginning of this post, we have multiple occurrences of
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
So, tshark just combined the results of all occurrences into a wonderful one hundred character long line
93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.
I tried to make a little java program to split the line into human readable parameter, but still, is non-sense.
Please, how could I get all the occurrences of my desired field values?
Thank you and I'm sorry for the tedious post
Tshark: Get multiple ocurrences with same field value
Hi guys!
Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.
Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.
No. | Time | Source | Destination | Protocol | Length | Info
1 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
2 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
3 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
Now let's expand packet number one.
Diameter Protocol
Version: 0x01
... (tens of lines deleted to save post space) ...
AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
... (tens of lines deleted to save post space) ...
AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP Code: 456 Multiple-Services-Credit-Control
AVP Flags: 0x40, Mandatory: Set
AVP Length: 104
Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…
Now let's click the 000001be400000440000 node:
AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)
And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:
AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25
At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files
"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv
Perhaps not. Tshark will work but will throw the results in a terrible manner:
Request
frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group
Response
1~
Apr 3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3
I'm not amplying it's tshark's fault, it makes sense remember at the beginning of this post, we have multiple occurrences of
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
So, tshark just combined the results of all occurrences into a wonderful one hundred character long line
93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.
I tried to make a little java program to split the line into human readable parameter, but still, is non-sense.
Please, how How could I get all the occurrences of my desired field values?
Thank you and I'm sorry for the tedious post
Tshark: Get multiple ocurrences with same field value
Hi guys!
Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.
Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.
No. | Time | Source | Destination | Protocol | Length | Info
1 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
2 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
3 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
Now let's expand packet number one.
Diameter Protocol
Version: 0x01
... (tens of lines deleted to save post space) ...
AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
... (tens of lines deleted to save post space) ...
AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP Code: 456 Multiple-Services-Credit-Control
AVP Flags: 0x40, Mandatory: Set
AVP Length: 104
Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…
Now let's click the 000001be400000440000 node:
AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)
And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:
AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25
At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files
Perhaps not. Tshark will work but will throw the results in a terrible manner:
Request
frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group
Response
1~
Apr 3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3
120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3
I'm not amplying it's tshark's fault, it makes sense remember at the beginning of this post, we have multiple occurrences of
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
So, tshark just combined the results of all occurrences into a wonderful one hundred character long line
93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.
I tried to make a little java program to split the line into human readable each CSV file using the diameter.avp.len parameter, but still, is non-sense.
How could I get all the occurrences of my desired field values?
Tshark: Get multiple ocurrences with same field value
Hi guys!
Presenting this case without being able to upload screenshots will be a nightmare, but please bear with me, I'll do my best.
Let's say I have 330 packages inside a .pcap file, from which I'm showing you the first three.
No. | Time | Source | Destination | Protocol | Length | Info
1 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
2 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
3 2020-04-03 19:15:07.755864 172.27.241.161 172.27.241.171 DIAMETER 1686 cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 |
Now let's expand packet number one.
Diameter Protocol
Version: 0x01
... (tens of lines deleted to save post space) ...
AVP: Origin-Host(264) l=57 f=-M- val=mscp01.herpgw01.epc.mnc110.mcc334.3gppnetwork.org
AVP: Origin-Realm(296) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
AVP: Destination-Realm(283) l=41 f=-M- val=epc.mnc110.mcc334.3gppnetwork.org
... (tens of lines deleted to save post space) ...
AVP: Multiple-Services-Indicator(455) l=12 f=-M- val=MULTIPLE_SERVICES_SUPPORTED (1)
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
OK ! the Multiple-Services-Credit-Control(456) part is what we need. Let's click on the first one to see what's inside of it:
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP Code: 456 Multiple-Services-Credit-Control
AVP Flags: 0x40, Mandatory: Set
AVP Length: 104
Multiple-Services-Credit-Control: 000001be40000044000001a44000000c00000078000001a5…
Now let's click the 000001be400000440000 node:
AVP: Used-Service-Unit(446) l=68 f=-M-
AVP: Rating-Group(432) l=12 f=-M- val=25
AVP: 3GPP-Reporting-Reason(872) l=16 f=VM- vnd=TGPP val=FINAL (2)
And then click the last node... Ok, this is getting really tedious. You got the idea, you need to go five levels down to reach the treasure. Here it is:
AVP: CC-Time(420) l=12 f=-M- val=120
AVP: CC-Total-Octets(421) l=16 f=-M- val=0
AVP: CC-Input-Octets(412) l=16 f=-M- val=0
AVP: CC-Output-Octets(414) l=16 f=-M- val=0
AVP: Rating-Group(432) l=12 f=-M- val=25
At this point seems very easy! just make a .bat script with the following content, and I would get all values for all packages inside my multiple .pcap files
"C:\Program Files\Wireshark\tshark" -r "C:\Temp\172.27.241.107\Pcap\resultado_334110010009868.pcap" -Y "(diameter.3GPP-Reporting-Reason == "2" && diameter.avp.code == "421" && diameter.avp.code == "432" && e212.imsi=="334110010009868" || e212.imsi=="334110010009869")" -T fields -E header=y -E "separator=~", -e frame.number -e frame.time -e _ws.col.Info -e e164.msisdn -e e212.imsi -e diameter.Session-Id -e tcap.tid -e gtpv2.seq -e diameter.CC-Time -e diameter.avp.len -e diameter.CC-Total-Octets -e diameter.CC-Input-Octets -e diameter.CC-Output-Octets -e diameter.3GPP-Reporting-Reason -e diameter.Rating-Group >outputfile.csv
Perhaps not. Tshark will work but will throw the results in a terrible manner:
Request
frame.number~
frame.time~
_ws.col.Info~
e164.msisdn~
e212.imsi~
diameter.Session-Id~
diameter.CC-Time~
diameter.avp.len~
diameter.CC-Total-Octets~
diameter.CC-Input-Octets~
diameter.CC-Output-Octets~
diameter.3GPP-Reporting-Reason~
diameter.Rating-Group
Response
1~
Apr 3, 2020 19:15:07.755864000 Hora estándar central (México)~
cmd=Credit-Control Request(272) flags=RP-- appl=Diameter Credit Control Application(4) h2h=1402bebd e2e=149b0325 | ~
525588420383~
334110010009868~
herpgw01.epc.mnc110.mcc334.3gppnetwork.org;124f8b02;5e87df05;334110010009868-08790c45~
120,120,120,120~
120,120,120,120~93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23,84,12,61,12,12,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,104,68,12,16,16,16,12,16,29,44,12,24,460,420,16,16,20,16,18,16,18,18,16,18,18,13,46,13,13,16,16,18,14,25,13,28,16~0,0,0,0~0,0,0,0~0,0,0,0~2,2,2,2~25,10,8,3
I'm not amplying it's tshark's fault, it It makes sense sense! remember at the beginning of this post, we have multiple occurrences of
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
AVP: Multiple-Services-Credit-Control(456) l=104 f=-M- AVP: Multiple-Services-Credit-Control(456) l=104 f=-M- AVP: Multiple-Services-Credit-Control(456) l=104 f=-M- AVP: Multiple-Services-Credit-Control(456) l=104 f=-M-
So, tshark just combined the results of all occurrences into a wonderful one hundred character long line
93,57,41,41,12,33,12,12,51,61,12,12,40,12,20,44,12,23... etc.
I tried to make a little java program to split each CSV file using the diameter.avp.len parameter, but still, is non-sense.
How could I get all the occurrences of my desired field values?