This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can we add extra column in existing pcap with help of C language

0

I want to add extra columns called Ue_Identity in existing pcap not by following manual procedure of wireshark .but with help of c language.I have to do like this when i will run that script as pcpa in put then it will add extra column into that pcap......

asked 05 Aug '13, 04:12

gst's gravatar image

gst
26447
accept rate: 0%

edited 07 Aug '13, 01:38

grahamb's gravatar image

grahamb ♦
19.8k330206


3 Answers:

0

There are no columns in PCAP. PCAP stands for the fileformat which contains packet capture data. Columns can be found in the output of Wireshark (on screen or print) which are defined in the currently applicable configuration file for the current profile.

answered 05 Aug '13, 06:10

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

So then can we add extra column as I specified earlier in the output of wireshark or not?

(05 Aug '13, 06:28) gst

The answer is much the same as in your previous attempt at the same question http://ask.wireshark.org/questions/23495/dissector-to-add-column-in-existing-pcap.

(05 Aug '13, 06:39) grahamb ♦

0

As has been said, you can't change GUI aspects from dissector code. But if you need to run a script that processes the data, you can change the GUI preferences from the command line. Use the following for instance to add the tcp.stream field to the output:

tshark -r <file> -R <filter> -o 'gui.column.format:"No.","%m","Time","%t","Stream index","%Cus:tcp.stream:0:R",
     "Source", "%s","Destination", "%d","Protocol", "%p","Length", "%L","Info", "%i"'

You can also use the -T fields option of tshark:

tshark -r <file> -R <filter> -T fields -e frame.number -e ip.src -e ip.dst -e ...

answered 05 Aug '13, 22:45

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Hey I want more explanation about thshark -o option with more examples and outputs so will you please provide me the link where i can get more explanation about this plz?

(06 Aug '13, 03:23) gst

All the info can be found in the TShark man page. A summary can also be seen by passing a -h or -? argument to tshark.

(06 Aug '13, 03:26) grahamb ♦

0

GST, what is the value of "ue_identity" that you would want to be present in such a column? If by "UE" you're referring to the 3GPP term, there'd be a great many different temporary and permanent identities used for a UE across the different signaling interfaces/protocols used by most mobility procedures you'd be tracing in Wireshark.

What specifically are you trying to accomplish? I've actually written a great many perl scripts to work with tshark to parse most of the relevant protocols to uniquely map out messages related to a given UE (through GTP-C, TCAP, MAP, Diameter/Gx/Gy/S6a-d, S1AP, RANAP, etc.), since in Wireshark alone it can be a total pain.

Anyway, if you're trying to trace a UE identity through a .pcap file, and by UE you mean the 3GPP 'user equipment', I wish it were as simple as a column. If you can be specific on your end goal, there's a good chance I have a scripted solution already written for it.

Edit: Oh, and if it really is just one field you want there, in the GUI, right-click the field in a packet and click "Apply as Column".

answered 06 Aug '13, 21:05

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 06 Aug '13, 21:08

Hello Quadratic, what i have to do is that when i will run my program with pcap file as input then it should show the header No Time Src Dst Protocol Length Ue_Identity Info in wireshark and in the column of Ue_Identity it will represent the its TMSI value as ue_identity for related message in that.(Basically what I m trying to trace whole Ue signaling in wireshark how many times it connected and disconnected with what context so in front related messages to Ue it will show its TMSI in that column but this should be done by C not manually by following to add column through wireshark)

(06 Aug '13, 21:58) gst

Which type of TMSI (TMSI, P-TMSI, M-TMSI, S-TMSI, GUTI) in which protocol container (RANAP/NAS, NBAP/NAS, S1AP/NAS)?

The dissector can decode TMSI values and you can display it in its own column. The value will change for the subscriber so you'll need to track old TMSI to new as well, and a precise how-to for that depends on what TMSI you're talking about and for what protocol.

(07 Aug '13, 04:01) Quadratic