This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, I am trying to extract some information from a wireshark capture using tshark. the problem is that within a single packet there are multiple messages. The messages are of different types and hence all the messages do not contain all the parameters. Due to this I am not able to figure out which parameter belongs to which message type.

The expression used by me is :

tshark -V -T fields -r "E:\Traces\IUPS-CP.pcap" -E separator=, -E header=y -e frame.time -e frame.number -e frame.len -e vlan.id -e ip.src -e ip.dst -e sctp.srcport -e sctp.dstport -e ip.proto -e m3ua.protocol_data_opc -e m3ua.protocol_data_dpc -e ranap.imsi_digits -e gsm_a.dtap_msg_sm_type -e gsm_a.dtap_msg_gmm_type -e ranap.lAC -e ranap.RAC -e ranap.sAC -e ranap.rNC_ID -e gsm_a.imsi -e ranap.radioNetwork -e gsm_a.sm.cause -e ranap.nAS -e > c:\IUPS-SM.csv

Is there any expression which can be used in tshark to resolve this or any other way to resolve this.

asked 22 Aug '13, 23:18

Vishal%20Pathak's gravatar image

Vishal Pathak
11112
accept rate: 0%


By multiple messages do you mean multiple applications in a single M3UA packet (Camel, MAP, RANAP, etc.), or multiple RANAP messages in a packet, or just multiple containers within the RANAP message (eg: the NAS container you care about)? Is your IuPS control interface deployed via an STP, or is this M3UA association direct from RNC to SGSN (where pure RANAP can be safely assumed)?

If you actually have multiple occurrences of RANAP messages in the same packet,or even multiple NAS containers, unfortunately since those values you want printed can occur at different times in different messages there's no way to just do a -T occurrences check, or to map the values to message containers with -T fields. The only solution for that that I've come up with so far is to use the '-O RANAP' option and read the output through a perl script to map out what values correspond to what RANAP message.

permanent link

answered 24 Aug '13, 23:29

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×832
×97

question asked: 22 Aug '13, 23:18

question was seen: 3,715 times

last updated: 24 Aug '13, 23:29

p​o​w​e​r​e​d by O​S​Q​A