This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

why dfilter_apply_edt() returning false every time.

0

so I am trying to dissect diameter packets using wireshark library,

when i apply filter 'diameter', and then call dfilter_apply_edt , it always returning false.

what could be the reason behind this.

thanks.

asked 15 Jan '14, 00:29

Sanny_D's gravatar image

Sanny_D
0182021
accept rate: 50%

Perhaps the packets are not recognised as Diameter? what's in the frame you are trying to dissect? a full frame starting from ethernet? What happens if you let Wireshark dissect the frame?

(15 Jan '14, 04:05) Anders ♦

actually, i was trying to dissect output of 'ngrep pcap dump', but it does not support packet reassembly, i guess that is why it is not dissecting ?

(15 Jan '14, 04:14) Sanny_D

it depends on the output format of ngrep. What are the options you were using for ngrep?

(15 Jan '14, 06:18) Kurt Knochner ♦

ngrep ".;5233184391;9999" -I /tmp/pcapd/santo.pcap -O sip:incredible_2.pcap -q -t -w 2>&1 >>/dev/null

".;5233184391;9999" is the matching expression. then i am trying to dissect the sip:incredible_2.pcap file, but surprisingly wireshark dissect it fine.

(15 Jan '14, 21:29) Sanny_D

Which protocols do you see in Wireshark?

(16 Jan '14, 01:07) Kurt Knochner ♦

protocols ins frame->eth:ip:sctp:diameter:diameter

(16 Jan '14, 02:00) Sanny_D

well, then something in your code could be wrong. Is it available online?

(16 Jan '14, 02:22) Kurt Knochner ♦

its here, http://snipt.org/BRjj5

printf("\nfailed_passed\n");fflush(stdout); executed for some messages.

(16 Jan '14, 21:50) Sanny_D
showing 5 of 8 show 3 more comments