Hello, I'm using tshark to decode a protocol where I want to map the values of one attribute to the values of another by using the
My problem is that tshark's output seems to have no way to clarify if the first "a" attribute was in the same protocol container as b, or if it was the second "a" in the same protocol container as b. The only solution I've been able to come up with so far for this is to use the pdml output option instead of -T fields, output the file and use XML parsing to map the protocol containers out. That got me out of a tight spot but it's extremely inefficient on resources and I'm thinking there's just got to be a better way. I'm not sure if I'd have to build a smarter script by experimenting with Lua or something but I'm hoping as much as possible that tshark has some way to accomplish this more easily as I'm just looking for the container mappings. asked 23 May '13, 21:00 Quadratic |
2 Answers:
Please you use a different aggregator character.
The output should then look similar to this:
You will be able to parse that, due to the empty field (;;). See Regards answered 24 May '13, 02:07 Kurt Knochner ♦ edited 24 May '13, 02:08 showing 5 of 6 show 1 more comments |
We have had the same problem. As a short answer, you can't! Using -T Fields there is no way to do this. With -T PDML you can achieve your goal, but that is not efficient. We have worked on a solution, which preserves the protocol tree. It creates separate entries in output for each set. In the following photo, you can see an example. In first photo there are two SCTP Chunks on top of IP layer. There are cases where there are 4 Chunks on top of IP layer (second photo) Photo1: in these cases, our solution returns 2 (4 for second example) datasets, one for the blue set and one for the red set consisting of the values from all protocols (frame;eth;ip;sctp;m3ua;SCCP;TCAP;GSM-MAP; x 2). We believe, this feature is needed more often but is not mentioned in the community; would really appreciate it if you could submit an enhancement request in the bugzilla-thingy and if this feature is accepted, we can then submit our solution easier, as it is now not a wildly popular request and we are afraid it would be rejected. Photo2: answered 11 Jul '16, 02:22 arashdalir edited 11 Jul '16, 02:23 |
Kurt, that would only help if both fields are always present (and sometimes be empty). However, if one of the fields not present in one of the containers, you will still get:
Please also take a look at my answer to this question
Ah ... right. If the field does not exist (instead of being empty), it won't work that way. Sorry, I don't have a solution for that case.
Probably what you suggested in the other question (MATE, Lua or PDML parsing?)...
Thanks for the comments, but yes I think the only solution here will be for me to bite the bullet and recompile Wireshark with Lua, learn Lua, and write something that will match up those containers.
Can you post a sample capture file with a packet where all fields are present and then one packet where some fields are not there?
Sorry Kurt but I cannot as those packets are sensitive.
Just an update I thought I'd leave on this one. I found a slightly better solution to PDML - I just used the -O output of the protocol containers as input into a perl script that took care of the mappings. It's not perfect but it's far more efficient than PDML as it's quite a bit less text to print and parse.