I'm using tshark to decode a protocol where I want to map the values of one attribute to the values of another by using the
My problem is that tshark's output seems to have no way to clarify if the first "a" attribute was in the same protocol container as b, or if it was the second "a" in the same protocol container as b.
The only solution I've been able to come up with so far for this is to use the pdml output option instead of -T fields, output the file and use XML parsing to map the protocol containers out. That got me out of a tight spot but it's extremely inefficient on resources and I'm thinking there's just got to be a better way. I'm not sure if I'd have to build a smarter script by experimenting with Lua or something but I'm hoping as much as possible that tshark has some way to accomplish this more easily as I'm just looking for the container mappings.
asked 23 May '13, 21:00
Please you use a different aggregator character.
The output should then look similar to this:
You will be able to parse that, due to the empty field (;;).
answered 24 May '13, 02:07
Kurt Knochner ♦
edited 24 May '13, 02:08
We have had the same problem. As a short answer, you can't! Using -T Fields there is no way to do this. With -T PDML you can achieve your goal, but that is not efficient.
We have worked on a solution, which preserves the protocol tree. It creates separate entries in output for each set.
In the following photo, you can see an example. In first photo there are two SCTP Chunks on top of IP layer. There are cases where there are 4 Chunks on top of IP layer (second photo)
in these cases, our solution returns 2 (4 for second example) datasets, one for the blue set and one for the red set consisting of the values from all protocols (frame;eth;ip;sctp;m3ua;SCCP;TCAP;GSM-MAP; x 2).
We believe, this feature is needed more often but is not mentioned in the community; would really appreciate it if you could submit an enhancement request in the bugzilla-thingy and if this feature is accepted, we can then submit our solution easier, as it is now not a wildly popular request and we are afraid it would be rejected.
answered 11 Jul '16, 02:22
edited 11 Jul '16, 02:23