This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SMPP commands,tree with filter

0

there is a way to aply a filter in a command like this: tshark -nr input.pcap -q -z smpp_commands,tree

I have a pcap file with several IPs and I want to make a filter with ip.src==x.x.x.x and then show the smpp_commands,tree.

thanks and regards

asked 22 Jun '13, 16:37

fachav2's gravatar image

fachav2
31226
accept rate: 0%

2 Answers:

1

I did manage to work this out with:

$ tshark -nr FILENAME -R"ip.addr==IPADDR" -2 -qz smpp_commands,tree
===================================================================
 SM_PP Operations             value         rate         percent
-------------------------------------------------------------------
 SMPP Operations               411       0.001066                
  SMPP Requests                  99       0.000257          24.09%
   Enquire_link                   14       0.000036          14.14%
   Submit_sm                      85       0.000220          85.86%
  SMPP Responses                312       0.000809          75.91%
   Deliver_sm - resp             282       0.000731          90.38%
   Enquire_link - resp            28       0.000073           8.97%
   Submit_sm - resp                2       0.000005           0.64%
 SMPP Response Status         312       0.000809                
  Ok                           312       0.000809         100.00%

===================================================================

And if I remove the filter -R "" -2 I will get all the traffic. I have the following wireshark/tshark:

TShark 1.10.0 (SVN Rev 49790 from /trunk-1.10)

NOTE: That if you specify ip.src you will see only the SMPP commands generated from that IP and not responses or commands generated from the destination IP. Sometimes this is handy because you can see (even count) if all your command have responses and vice-versa.

More information you can find from tshark help page: http://www.wireshark.org/docs/man-pages/tshark.html

And last but not least HAPPY BIRTHDAY TO WIRESHARK :).

answered 15 Jul ‘13, 12:02

Edmond's gravatar image

Edmond
1813614
accept rate: 33%

edited 15 Jul ‘13, 14:44

multiple passes (-2) that was the option i needed. Yes I have to upgrade my tshark. I will try and let you know about

(15 Jul ‘13, 13:43) fachav2

0

Try this

tshark -nr <pcapfile> -Y "ip.src==x.x.x.x" -qz smpp_commands,tree

If it is not taking -Y then try giving -R.

answered 22 Jun '13, 17:01

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%

edited 22 Jun '13, 17:06

thanks but it did not work. The -Y option crash, but the -R is accepted, but no matter what IP I filter with -R opt. the result is always the same.

Any one know any thing about this?

(15 Jul '13, 08:37) fachav2