Hi, Our application receives an SMPP messages and sends Acknowledge to the network. We want to measure the time from SMPP Submit SM request till Submit SM response by using tshark. For this I want to extract all Submit SM requests and Submit SM responses with Sequence number and calculate an average of time differences for each pair. Because we need to send about 500 SMPP requests per second each tshark frame contains a few SMPP requests and not one. I would like to create a report in the following format: Time, from IP, to IP, smpp command ID, smpp.sequence_number, smpp.sequence_number, smpp.sequence_number… But when I’m trying to use the fields (such –e smpp.sequence_number) I’m seeing only frames with one SMPP request/response. Therefore most of SMPP requests and responses are disappear in my report. Is tshark has some way to extract this kind of information? Or may be tshark has another options for calculating an average of time differences for each Submit SM/Submit SM response? Thank you! asked 21 Nov '13, 04:51  jumike |
One Answer:
what do you mean by that? There are several SMPP messages in one packet and Can you provide a sample capture file (via google drive, dropbox, cloudshark.org or mega.co.nz)? answered 21 Nov '13, 05:59  Kurt Knochner ♦ showing 5 of 13 show 8 more comments |
I have run the following command: tshark -r test1.cap -n -tad -T fields -e smpp.sequence_number -e frame -e frame.time_relative -e smpp.command_id -e tcp.srcport -e tcp.dstport -R "smpp.command_id==0x00000004 || smpp.command_id==0x80000004" > test1.txt
but got for frame 99 only last PDU sequence #: 38826618 Frame 99 (431 bytes on wire, 431 bytes captured) 0.168714000 0x80000004 9001 20837
O.K. what is the output of the following command for that file?
Please post a few lines of that output and please include frame #99.
Unfortunately, I have tshark version 1.0.15 (run on Red Hat Enterprise Linux Server release 5.8), it doesn't support "occurence" option: tshark: "occurance" is not a valid field output option=value pair. Is it any another way to get the report I need? Thank you!
O.K. then that's exactly your problem. The old tshark will only print one occurence, while newer versions will print all occurences.
Only by using a recent version of tshark.
Solution: Please use a newer release of wireshark/tshark (probably on another system than RedHat, as they provide only ancient versions) and then use my tshark command.
Thank you! Could you please recommend me what exactly tshark release I need? I'm tryiung to install 1.10.0, but isntallation failed due to incompatible prerequisite...
On RedHat? No chance.
-e occurencewas added in 1.4., so you need at least that version. The latest package provided by RedHat is 1.2.xOn any other Linux Distribution: Most of them (except CentoOS - same problem as RedHat) provide at least 1.8 or 1.10.
Solution: Use another distribution for data analysis.
What do you mean by "Use another distribution for data analysis"?
You won't be able to run the version of tshark (at least 1.4) you need on RedHat unless you compile your own version (which might cause problems due to missing dependencies to build).
So, my suggestion is to use another Linux Distribution, that does provide a recent tshark/wireshark release, to analyze your data with tshark.
I see... unfortunately, it's a customer look alike host, I can't use another Linux Distribution.
Well, what can I say:
RedHat provides: tshark 1.2.x.
You need: tshark >= 1.4.x (-e occurence)
Result: Mismatch
So, you can't do that kind of analysis on the customer system.
However in the days of virtualization, how big of a problem can it be to install another Linux distribution in a virtual machine !?!
I think, I just will move the capture files to Windows machine and will run tshark with an "-e occurence" options :)
Thank you, Kurt!
That's also an alternative :-)
Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.