Hi, I am trying to extract some information from a wireshark capture using tshark. the problem is that within a single packet there are multiple messages. The messages are of different types and hence all the messages do not contain all the parameters. Due to this I am not able to figure out which parameter belongs to which message type.
The expression used by me is :
tshark -V -T fields -r "E:\Traces\IUPS-CP.pcap" -E separator=, -E header=y -e frame.time -e frame.number -e frame.len -e vlan.id -e ip.src -e ip.dst -e sctp.srcport -e sctp.dstport -e ip.proto -e m3ua.protocol_data_opc -e m3ua.protocol_data_dpc -e ranap.imsi_digits -e gsm_a.dtap_msg_sm_type -e gsm_a.dtap_msg_gmm_type -e ranap.lAC -e ranap.RAC -e ranap.sAC -e ranap.rNC_ID -e gsm_a.imsi -e ranap.radioNetwork -e gsm_a.sm.cause -e ranap.nAS -e > c:\IUPS-SM.csv
Is there any expression which can be used in tshark to resolve this or any other way to resolve this.
asked 22 Aug '13, 23:18
By multiple messages do you mean multiple applications in a single M3UA packet (Camel, MAP, RANAP, etc.), or multiple RANAP messages in a packet, or just multiple containers within the RANAP message (eg: the NAS container you care about)? Is your IuPS control interface deployed via an STP, or is this M3UA association direct from RNC to SGSN (where pure RANAP can be safely assumed)?
If you actually have multiple occurrences of RANAP messages in the same packet,or even multiple NAS containers, unfortunately since those values you want printed can occur at different times in different messages there's no way to just do a -T occurrences check, or to map the values to message containers with -T fields. The only solution for that that I've come up with so far is to use the '-O RANAP' option and read the output through a perl script to map out what values correspond to what RANAP message.
answered 24 Aug '13, 23:29