This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SMPP, tshark

0

Hi, Our application receives an SMPP messages and sends Acknowledge to the network. We want to measure the time from SMPP Submit SM request till Submit SM response by using tshark. For this I want to extract all Submit SM requests and Submit SM responses with Sequence number and calculate an average of time differences for each pair. Because we need to send about 500 SMPP requests per second each tshark frame contains a few SMPP requests and not one.

I would like to create a report in the following format: Time, from IP, to IP, smpp command ID, smpp.sequence_number, smpp.sequence_number, smpp.sequence_number… But when I’m trying to use the fields (such –e smpp.sequence_number) I’m seeing only frames with one SMPP request/response. Therefore most of SMPP requests and responses are disappear in my report. Is tshark has some way to extract this kind of information? Or may be tshark has another options for calculating an average of time differences for each Submit SM/Submit SM response?

Thank you!

asked 21 Nov '13, 04:51

jumike's gravatar image

jumike
16113
accept rate: 0%


One Answer:

0

But when I’m trying to use the fields (such –e smpp.sequence_number) I’m seeing only frames with one SMPP request/response.

what do you mean by that? There are several SMPP messages in one packet and -e smpp.sequence_number prints only one sequence number?

Can you provide a sample capture file (via google drive, dropbox, cloudshark.org or mega.co.nz)?

answered 21 Nov '13, 05:59

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

alt text

(21 Nov '13, 06:11) jumike

I have run the following command: tshark -r test1.cap -n -tad -T fields -e smpp.sequence_number -e frame -e frame.time_relative -e smpp.command_id -e tcp.srcport -e tcp.dstport -R "smpp.command_id==0x00000004 || smpp.command_id==0x80000004" > test1.txt

but got for frame 99 only last PDU sequence #: 38826618 Frame 99 (431 bytes on wire, 431 bytes captured) 0.168714000 0x80000004 9001 20837

(21 Nov '13, 06:13) jumike
1

O.K. what is the output of the following command for that file?

tshark -nr input.pcap -T fields -e frame.number -e frame.time_relative -e ip.src -e ip.dst -e smpp.command_id -E header=y -E occurance=a -E separator=; -E aggregator=:

Please post a few lines of that output and please include frame #99.

(21 Nov '13, 06:26) Kurt Knochner ♦

Unfortunately, I have tshark version 1.0.15 (run on Red Hat Enterprise Linux Server release 5.8), it doesn't support "occurence" option: tshark: "occurance" is not a valid field output option=value pair. Is it any another way to get the report I need? Thank you!

(21 Nov '13, 06:36) jumike

it doesn't support "occurence" option:

O.K. then that's exactly your problem. The old tshark will only print one occurence, while newer versions will print all occurences.

Is it any another way to get the report I need?

Only by using a recent version of tshark.

Solution: Please use a newer release of wireshark/tshark (probably on another system than RedHat, as they provide only ancient versions) and then use my tshark command.

(21 Nov '13, 06:39) Kurt Knochner ♦

Thank you! Could you please recommend me what exactly tshark release I need? I'm tryiung to install 1.10.0, but isntallation failed due to incompatible prerequisite...

(21 Nov '13, 06:44) jumike

On RedHat? No chance. -e occurence was added in 1.4., so you need at least that version. The latest package provided by RedHat is 1.2.x

On any other Linux Distribution: Most of them (except CentoOS - same problem as RedHat) provide at least 1.8 or 1.10.

Solution: Use another distribution for data analysis.

(21 Nov '13, 06:51) Kurt Knochner ♦

What do you mean by "Use another distribution for data analysis"?

(21 Nov '13, 06:57) jumike

You won't be able to run the version of tshark (at least 1.4) you need on RedHat unless you compile your own version (which might cause problems due to missing dependencies to build).

So, my suggestion is to use another Linux Distribution, that does provide a recent tshark/wireshark release, to analyze your data with tshark.

(21 Nov '13, 07:03) Kurt Knochner ♦

I see... unfortunately, it's a customer look alike host, I can't use another Linux Distribution.

(21 Nov '13, 07:12) jumike

Well, what can I say:

RedHat provides: tshark 1.2.x.
You need: tshark >= 1.4.x (-e occurence)
Result: Mismatch

So, you can't do that kind of analysis on the customer system.

However in the days of virtualization, how big of a problem can it be to install another Linux distribution in a virtual machine !?!

(21 Nov '13, 07:25) Kurt Knochner ♦

I think, I just will move the capture files to Windows machine and will run tshark with an "-e occurence" options :)
Thank you, Kurt!

(21 Nov '13, 07:46) jumike

That's also an alternative :-)

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(21 Nov '13, 07:49) Kurt Knochner ♦
showing 5 of 13 show 8 more comments