This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

GTP: ip.src displays only encapsulated IP address

0

Hi,

I have GTP encapsulated traffic. So one IP package contains 2 IP addresses:

  • The address of the IP package
  • The address of the GTP encapsulated IP package

When I specify ip.src as display filter or as "field" in tshark I only get the address of the encapsulated ip traffic.

Can anyone tell me how I can display the ip address of the original ip package ?

Thanks, Ralf

asked 17 Sep '10, 04:34

bradfield's gravatar image

bradfield
1112
accept rate: 0%

edited 17 Sep '10, 04:37


2 Answers:

1

In tshark you can use the option "-E occurrence=<f|l|a>", where "f" means the first occurrence of a field with multiple instances, "l" means last occurrence and "a" means all occurrences. If you select "a", then all occurrences are aggregated by a comma by default, but this can be changed by the "-E aggregator=<char>" option.

This functionality does not (yet) exist for Wireshark's custom columns.

Update 22 September: I just submitted new code that will make it possible to select the occurrence in Wireshark too. In a few hours there will be an automated build at http://www.wireshark.org/download/automated/

(make sure you pick a file with a number higher than 34186, otherwise the patch will not be in it)

answered 17 Sep '10, 05:31

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 22 Sep '10, 14:01

0

Yep. That solved my problem.

Thanks, Ralf

answered 17 Sep '10, 10:51

bradfield's gravatar image

bradfield
1112
accept rate: 0%

This is a Q&A site, which operates a little differently from traditional web forums. If you're posting a comment, please click on the "add new comment" button.

If @SYNbit answered your question, please click on the check mark in order to accept his answer. That way it will float to the top and he'll earn karma points.

(17 Sep '10, 11:00) Gerald Combs ♦♦

Hi Ralf, glad it solved your problem!

Would you be so kind to "accept" my answer by clicking on the checkmark? That way the question will not show up on the "unanswered" list anymore. It also helps people to find the correct answer to the question (although that is not really a problem in this case) :-)

Last thing, it's better to use "add new comment" for this kind of message instead of posting a new "answer".

Cheers, Sake

(17 Sep '10, 11:01) SYN-bit ♦♦