This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Cannot retrieve field for radius.Framed_IP_Address using Tshark.

0

Hi,

I am having an issue with retrieving the value for the field radius.Framed_IP_Address but all other fields seem to be returned fine.

Here is the command I'm running and sample output.

$tshark -i eth1 -T fields -e radius.Event_Timestamp  -e radius.User_Name  -e radius.Acct_Status_Type -e radius.Acct_Session_Id -e radius.Calling_Station_Id -e radius.Framed_IP_Address -E separator="|"

I have confirmed that there is a value for the AVP for Framed-IP-Address by viewing the output. All other fields seem to work and I have tried using both radius.Framed_IP_Address and radius.Framed-IP-Address with no success.

is there any reason why only this field doesn't seem to work?

asked 13 Feb '13, 19:01

TsharkNewb's gravatar image

TsharkNewb
1222
accept rate: 0%


One Answer:

0

-e radius.Framed-IP-Address works with tshark 1.8.4 on Windows XP, while reading these capture files:

is there any reason why only this field doesn't seem to work?

it could be a bug in your tshark version. What is the output of tshark -v on your system?
it could be a typo in your command. Did you really try -e radius.Framed-IP-Address?

Regards
Kurt

answered 13 Feb '13, 19:28

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks Kurt,

I have tried both commands. No output for that field for either one.

tshark -v shows: TShark 1.8.5 (SVN Rev Unknown from unknown)

...

Compiled (64-bit) with GLib 2.22.5, with libpcap, with libz 1.2.3, with POSIX capabilities (Linux), without SMI, without c-ares, without ADNS, without Lua, without Python, with GnuTLS 2.8.5, with Gcrypt 1.4.5, with MIT Kerberos, without GeoIP.

Running on Linux 2.6.32-220.el6.x86_64, with locale en_US.UTF-8, with libpcap version 1.3.0, with libz 1.2.3.

Built using gcc 4.4.6 20110731 (Red Hat 4.4.6-3).

(13 Feb '13, 19:39) TsharkNewb

I just ran it using one of the input file you supplied with the command:

tshark -r radius-acct-no-dups-sample.pcap -T fields -e radius.Framed-IP-Address

This works and returns the IP addresses. It only seems to not be working when I am trying to capture from the interface.

(13 Feb '13, 19:49) TsharkNewb

It only seems to not be working when I am trying to capture from the interface.

does it work, if you capture from the interface and write to a file. Then, afterwards read from that file with tshark?

I just want to check if it's the live capturing or a 'problem' with the radius protocol in your environment.

If does work that way, it might be a bug in tshark. Then, please file a bug report at bugs.wireshark.org. Please add a detailed problem description and a link to this question.

(13 Feb '13, 20:17) Kurt Knochner ♦