OSPF Hello & Dead Intervals

Question

Hello

I have a pcap file and am parsing it using tshark and wish dump the OSPF hello and dead intervals but there are no display filter names for these two attribtues (or many other OSPF attribtues). Dumping the hex value would be fine but I can't seem to find a filter that will give me these results. I was fiddling around with "ospf[x:y]" but that doesn't work. Does anyone have any ideas as to how I can dump these values?

Thanks

Answer 1

Apparently there are no fields for those two timers. They are shown as text in Wireshark. So, if you need/want these two fields (or more), please file an enhancement request at https://bugs.wireshark.org

Meanwhile, here is what you can do:

Run tshark with option -V. Then parse the output of tshark to extract the two values.

tshark -nr ospf.pcap -V

Strings to look for:

Hello Interval: 10 seconds
Router Dead Interval: 40 seconds

An alternative to -V is -T pdml (XML like output).

tshark -nr ospf.pcap -T pdml

Finally you can print the text fields and then parse that output to extract the intervals

tshark -nr ospf.pcap -Y "ospf.msg == 1" -T fields -e frame.number -e ip.src -e ip.dst -e text

Output:

1       192.168.170.8   224.0.0.5       Source GeoIP: Unknown,Destination GeoIP: Unknown,OSPF Header,OSPF Version: 2,Packet Length: 44,Area
ID: 0.0.0.1,Packet Checksum: 0x273b [correct],Auth Type: Null,Auth Data (none),OSPF Hello Packet,Network Mask: 255.255.255.0,Hello Interval:
 10 seconds,Router Priority: 1,Router Dead Interval: 40 seconds,Designated Router: 192.168.170.8,Backup Designated Router: 0.0.0.0

Regards
Kurt