Hi, I am trying to use tshark for filtering Diameter messages from a pcap file. I am using following command:
One of the output line is
Now the problem is that this particular TCP packet has three Diameter packets, two with Result code = 2001 and another with Experimental code. Looking at the above output, I am not able to distinguish which diameter packet has error or successful response. Could you please help me on this? Is there any way to differentiate and print empty string for not matching condition. Thanks & Regards Nalin Vilochan asked 30 May '11, 22:21  Nalin edited 31 May '11, 18:10  cmaynard ♦♦ |
2 Answers:
The separator is ',', so the output line's items are: The aggregator is ':', which means that, for the Diameter items, the first item is the value in the first packet, the second item is the value in the second packet, and the third item is the value in the third packet. Unfortunately, from looking at the code, it appears that, if, for example, the middle Diameter packet doesn't have an instance of the field, it doesn't put in a extra aggregator to indicate that the middle value is what's missing, so a value of "2001:2001" could mean that the first two Diameter packets have a result code of 2001, the first and third diameter packets have a value of 2001, or the second and third diameter packets have a result code of 2001. answered 01 Jun '11, 20:30  Guy Harris ♦♦ edited 01 Jun '11, 21:32 |
Internally in Wireshark, there is no relationship between multiple occurrences of one field to multiple occurrences of another field. It is therefor very hard if not impossible to change this, without changing the very nature of the Wireshark dissection engine. However, you might be able to get what you want using the PDML output format of tshark (-T pdml) and then parse the XML formatted text. answered 01 Jun '11, 23:38  SYN-bit ♦♦ |
