Hi, I have a pcap in tcp which I decode as Diameter on wireshark gui. I then save it. I confirmed after saving by re-opening the pcap that the tcp packets are decoded to Diameter protocol. Now, I have the decoded pcap in Diameter saved and confirmed. I need to use that decoded pcap into a script for post processing. I use tshark command in the script to convert that decoded pcap to text file but the tshark converts it to zero byte text file. Below is the tshark command inside the script, assuming the pcap is decoded into Diameter protocol. & 'C:\Program Files\Wireshark\tshark.exe' -Y "diameter.Subscription-Id-Data == $a" -V -r $Server > C:\text4111.txt The result text file text4111.txt is zero byte, not succesfully converted. Any idea, how to make this work? Thanks Amit asked 19 Nov '15, 07:17  amitmraval |
2 Answers:
Do I read your question right that you had to use "Decode as" to manually tell the GUI Wireshark to decode that tcp flow as Diameter? If so, you're likely using a non-standard tcp port for Diameter, and you need to use a parameter to tell tshark the same. From :
Like Wireshark's Example: The pcap(ng) file does not store information about manual "decode as" mappings. On the other hand, a running Wireshark session remembers them. So by saving, closing and re-opening the pcap file without closing Wireshark itself you could obtain a false feeling that the "decode as" mappings got saved to the file. answered 19 Nov '15, 10:52  sindy edited 22 Oct '16, 12:55 |
If there is nothing in the file, then your filter was not applied. As you are using a variable in the filter ($a), I guess that has not been expanded. And frankly, variables on Windows (DOS box) will be %variable% and not $variable (which is Unix style). So I guess that's the problem. What do you get if you run this in a DOS box?
If you get $a in the output, it's like I said and Wireshark/tshark would have looked for the string "$a" in diameter.Subscription-Id-Data, which makes not much sense. Regards answered 19 Nov '15, 09:27  Kurt Knochner ♦ What do you get if you run this in a DOS box? It's a PowerShell command, so simply type (19 Nov '15, 10:01) grahamb ♦ |
Thanks Kurt.
Sindy, you are right. I was under impression that after decoding to Diameter on GUI wireshark, it will save for lifetime in decoded format, but it is not.
So, finally made it work by below command where I put on both the filters on single tshark command. First it decodes it to diameter protocol and then a particular diameter filter expression, all into a text file which I was looking for.
& 'C:\Program Files\Wireshark\tshark.exe' -d "tcp.port==3998,diameter" -Y "diameter.Subscription-Id-Data == $a" -V -r $Server > C:\text4111.txt
Thanks again for your inputs.
Regards, Amit
For the background,
$a is the input from the user when script is executed.
$Server is the raw undecoded PCAP selected by the user before the tshark command.
$a is nothing but the Subscriber number which user wants to check and for which I put the filter in the tshark command copied above.