This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Multiple Messages in single frame causing problems while converting to csv using tshark

0

Hi, I am trying to extract some information from a wireshark capture using tshark. the problem is that within a single packet there are multiple messages. The messages are of different types and hence all the messages do not contain all the parameters. Due to this I am not able to figure out which parameter belongs to which message type.

The expression used by me is :

tshark -V -T fields -r "E:\Traces\IUPS-CP.pcap" -E separator=, -E header=y -e frame.time -e frame.number -e frame.len -e vlan.id -e ip.src -e ip.dst -e sctp.srcport -e sctp.dstport -e ip.proto -e m3ua.protocol_data_opc -e m3ua.protocol_data_dpc -e ranap.imsi_digits -e gsm_a.dtap_msg_sm_type -e gsm_a.dtap_msg_gmm_type -e ranap.lAC -e ranap.RAC -e ranap.sAC -e ranap.rNC_ID -e gsm_a.imsi -e ranap.radioNetwork -e gsm_a.sm.cause -e ranap.nAS -e > c:\IUPS-SM.csv

Is there any expression which can be used in tshark to resolve this or any other way to resolve this.

asked 22 Aug '13, 23:18

Vishal%20Pathak's gravatar image

Vishal Pathak
11112
accept rate: 0%


One Answer:

0

By multiple messages do you mean multiple applications in a single M3UA packet (Camel, MAP, RANAP, etc.), or multiple RANAP messages in a packet, or just multiple containers within the RANAP message (eg: the NAS container you care about)? Is your IuPS control interface deployed via an STP, or is this M3UA association direct from RNC to SGSN (where pure RANAP can be safely assumed)?

If you actually have multiple occurrences of RANAP messages in the same packet,or even multiple NAS containers, unfortunately since those values you want printed can occur at different times in different messages there's no way to just do a -T occurrences check, or to map the values to message containers with -T fields. The only solution for that that I've come up with so far is to use the '-O RANAP' option and read the output through a perl script to map out what values correspond to what RANAP message.

answered 24 Aug '13, 23:29

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%