This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Get reassembled information with command line tools

0

Hi,

I tested all the tools (rawshark, editcap), even i used the libpcap api to solve my problem but i can't. The thing is that i have a pcap file with diameter frames inside. Sometimes there are reassembled packets. The only way to get the whole diameter packet is by mean shell scripting over the "tshark -r -x" output, but this is not robust because this script is very fixed to the libpcap system version (which causes different text outputs).

I would like to use c program, editpcap, rawshark or whatever, but i only obtain the incomplete frame which does not contain the whole diameter message.

Summing up, in my pcap example i have this frames:

  1 1427215933.697904 192.168.14.42 -> 192.168.12.40 DIAMETER 498 cmd=Credit-Control Request(272) flags=R--- appl=3GPP Gx(16777238) h2h=4e6e6 e2e=bd986 | 
  3 1427215934.449523 192.168.12.40 -> 192.168.14.42 DIAMETER 358 cmd=Credit-Control Answer(272) flags=---- appl=3GPP Gx(16777238) h2h=4e6e6 e2e=bd986 | 
  6 1427215934.456204 192.168.14.42 -> 192.168.12.40 DIAMETER 638 cmd=AA Request(265) flags=R--- appl=3GPP Rx(16777236) h2h=c73c3 e2e=4cee4 | 
  8 1427215935.123559 192.168.12.40 -> 192.168.14.42 DIAMETER 314 cmd=AA Answer(265) flags=---- appl=3GPP Rx(16777236) h2h=c73c3 e2e=4cee4 | 

The 6th frame is the incomplete one. With tshark -x you could see the whole information: frame block and reassembled completed block:

Reassembled TCP (1972 bytes):

0000 01 00 07 b4 80 00 01 09 01 00 00 14 00 0c 73 c3 …………..s. 0010 00 04 ce e4 00 00 01 07 40 00 00 42 74 63 5f 30 [email protected]_0 0020 31 5f 46 75 6c 6c 41 56 50 73 3b 61 66 4e 6f 64 1_FullAVPs;afNod 0030 65 48 6f 73 74 6e 61 6d 65 2e 61 66 4e 6f 64 65 eHostname.afNode …

That’s the useful section for me, because inside it i have the complete diameter message.

If you execute ‘editcap my.pcap 6.pcap -r 6’, you will have the data but not completed, only gets the main frame, not the reassembled one. The same happens with all other tools. Only shell scripting solves my problem but i don’t like this solution (not robunst as i said).

Could you help me ? Thanks a lot BRs

asked 27 Mar ‘15, 06:08

eramos's gravatar image

eramos
6113
accept rate: 0%

edited 27 Mar ‘15, 16:12


2 Answers:

0

Seems as though you need full dissection of packets (since reassembly needs to take place) so editcap is out. tshark (with the two-pass option for recent versions) would be required. If you need to be able to machine process the output select one of the non-human output text formats, in your case PDML, and parse the desired content from there.

answered 27 Mar '15, 07:22

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Regarding two.pass, i suppose you talk about '-2' option:

PCAP2HEX> tshark -x -r my.pcap 2>/dev/null > normal.txt
PCAP2HEX> tshark -2 -x -r my.pcap 2>/dev/null > two-pass.txt
PCAP2HEX> diff normal.txt  two-pass.txt 

It seems to have the same result.

Regarding pdml (adding '-T pdml' to the tshark command line), it seems that my pcap cannot achieve it: tshark: Raw packet hex data can only be printed as text or PostScript

Perhaps, is there any sample code (i couldn't find) for such full dissection. In my code, i use pcap_open_offline and pcap_next.

(27 Mar '15, 08:39) eramos

What version of wireshark are you working with? If the file is loaded into wireshark does reassembly work then? If there is duplicate mmessages or outoforder ones reassembly sometimes fail.

(27 Mar '15, 10:22) Anders ♦

Wireshark works well. It reassembles all correctly. But I need to process the pcap externally, no gui tools involved. I tested tshark adding '-e tcp.segment' and my frame #6 involves #5 and #6 itself. I could join rawshark hex output for such frames, detect some diameter pattern (for example hop by hop followed by end to end) and then build the message by mean shell scripting. But I would prefer to have a c program prototype or any special option (for tshark, rawshark, whatever) that I currently ignore. Probably this option is not implemented.

(27 Mar '15, 14:44) eramos

0

Finally, I made a safer script based in rawshark/tshark but not processing tshark -x output. Then it works for different libpcap versions (at least those that i tested).

The script is easy to adapt to another protocols using corresponding length fields and filters (see https://www.wireshark.org/docs/dfref ).

Feel free to use if you consider useful: http://redmine.teslayout.com/projects/anna-suite/repository/revisions/master/entry/example/diameter/launcher/resources/pcap2diameterHex.sh

Anyway, it would be very helpful to have any option in wireshark tools to ease this kind of work. Then, if you know, please tell me.

answered 28 Mar '15, 11:18

eramos's gravatar image

eramos
6113
accept rate: 0%

edited 28 Mar '15, 11:19