I am using tshark to see some packets, but when I user the -T fields -e xxxx, I don't see a number instead of the actual meaning, is there an option I should put to be albe to see the field name and not the number For example I am looking at SGs failure, instead of seeing sgsap.msg_type as "SGsAP-PAGING-REJECT", I see sgsap.msg_type "2", If I use tshark -r file.pcap, I am going to see the output as I see it in wireshark with the names |
tshark -T fields -e xxx prints the raw values and there is no way to get the "text representation" of those values without a code change. So, what you can do it to run the following command and then parse the output with a script:
Sample Output: SGs Application Part (SGsAP) SGSAP Message Type: SGsAP-LOCATION-UPDATE-REQUEST (0x09) <<<======= HERE !!! IMSI - IMSI (310444001001001) Element ID: 0x01 Length: 8 0011 .... = Identity Digit 1: 3 .... 1... = Odd/even indication: Odd number of identity digits .... .001 = Mobile Identity Type: IMSI (1) BCD Digits: 310444001001001 MME name - mmec01.mmegi9900.mme.epc.mnc012.mcc310.3gppnetwork.org Element ID: 0x09 Length: 55 MME name: mmec01.mmegi9900.mme.epc.mnc012.mcc310.3gppnetwork.org EPS location update type - IMSI attach Element ID: 0x0a Length: 1 EPS location update type: IMSI attach (1) As an alternative, you can also run this command to get more structured output
Regards |