This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark fields

0

I am using tshark to see some packets, but when I user the -T fields -e xxxx, I don't see a number instead of the actual meaning, is there an option I should put to be albe to see the field name and not the number For example I am looking at SGs failure, instead of seeing sgsap.msg_type as "SGsAP-PAGING-REJECT", I see sgsap.msg_type "2", If I use tshark -r file.pcap, I am going to see the output as I see it in wireshark with the names

asked 14 Apr '15, 12:29

alfromero's gravatar image

alfromero
6224
accept rate: 0%

One Answer:

1

tshark -T fields -e xxx prints the raw values and there is no way to get the "text representation" of those values without a code change.

So, what you can do it to run the following command and then parse the output with a script:

tshrak -V -r input.pcap

Sample Output:

SGs Application Part (SGsAP)
    SGSAP Message Type: SGsAP-LOCATION-UPDATE-REQUEST (0x09)    <<<======= HERE !!!
    IMSI - IMSI (310444001001001)
        Element ID: 0x01
        Length: 8
        0011 .... = Identity Digit 1: 3
        .... 1... = Odd/even indication: Odd number of identity digits
        .... .001 = Mobile Identity Type: IMSI (1)
        BCD Digits: 310444001001001
    MME name - mmec01.mmegi9900.mme.epc.mnc012.mcc310.3gppnetwork.org
        Element ID: 0x09
        Length: 55
        MME name: mmec01.mmegi9900.mme.epc.mnc012.mcc310.3gppnetwork.org
    EPS location update type - IMSI attach
        Element ID: 0x0a
        Length: 1
        EPS location update type: IMSI attach (1)

As an alternative, you can also run this command to get more structured output

tshrak -r input.pcap -T pdml

Regards
Kurt

answered 15 Apr '15, 02:32

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%