Hi, I tested all the tools (rawshark, editcap), even i used the libpcap api to solve my problem but i can't. The thing is that i have a pcap file with diameter frames inside. Sometimes there are reassembled packets. The only way to get the whole diameter packet is by mean shell scripting over the "tshark -r -x" output, but this is not robust because this script is very fixed to the libpcap system version (which causes different text outputs). I would like to use c program, editpcap, rawshark or whatever, but i only obtain the incomplete frame which does not contain the whole diameter message. Summing up, in my pcap example i have this frames:
The 6th frame is the incomplete one. With tshark -x you could see the whole information: frame block and reassembled completed block:
That’s the useful section for me, because inside it i have the complete diameter message. If you execute ‘editcap my.pcap 6.pcap -r 6’, you will have the data but not completed, only gets the main frame, not the reassembled one. The same happens with all other tools. Only shell scripting solves my problem but i don’t like this solution (not robunst as i said). Could you help me ? Thanks a lot BRs asked 27 Mar ‘15, 06:08 eramos edited 27 Mar ‘15, 16:12 |
2 Answers:
Seems as though you need full dissection of packets (since reassembly needs to take place) so editcap is out. tshark (with the two-pass option for recent versions) would be required. If you need to be able to machine process the output select one of the non-human output text formats, in your case PDML, and parse the desired content from there. answered 27 Mar '15, 07:22 Jaap ♦ |
Finally, I made a safer script based in rawshark/tshark but not processing tshark -x output. Then it works for different libpcap versions (at least those that i tested). The script is easy to adapt to another protocols using corresponding length fields and filters (see https://www.wireshark.org/docs/dfref ). Feel free to use if you consider useful: http://redmine.teslayout.com/projects/anna-suite/repository/revisions/master/entry/example/diameter/launcher/resources/pcap2diameterHex.sh Anyway, it would be very helpful to have any option in wireshark tools to ease this kind of work. Then, if you know, please tell me. answered 28 Mar '15, 11:18 eramos edited 28 Mar '15, 11:19 |
Regarding two.pass, i suppose you talk about '-2' option:
It seems to have the same result.
Regarding pdml (adding '-T pdml' to the tshark command line), it seems that my pcap cannot achieve it: tshark: Raw packet hex data can only be printed as text or PostScript
Perhaps, is there any sample code (i couldn't find) for such full dissection. In my code, i use pcap_open_offline and pcap_next.
What version of wireshark are you working with? If the file is loaded into wireshark does reassembly work then? If there is duplicate mmessages or outoforder ones reassembly sometimes fail.
Wireshark works well. It reassembles all correctly. But I need to process the pcap externally, no gui tools involved. I tested tshark adding '-e tcp.segment' and my frame #6 involves #5 and #6 itself. I could join rawshark hex output for such frames, detect some diameter pattern (for example hop by hop followed by end to end) and then build the message by mean shell scripting. But I would prefer to have a c program prototype or any special option (for tshark, rawshark, whatever) that I currently ignore. Probably this option is not implemented.