I am running airprobe and while it is running, I open up the GUI wireshark and I can successfully view gsmtap ... and everything is working great. I see a packet marked "system information type 3" and I open that packet up and I can drill all the way down to: GSM CCCH - System Information Type 3 -> LAI -> Location Area Code (LAC) ... but I would like to see that information in tshark. I looked up the gsmtap reference here: https://www.wireshark.org/docs/dfref/g/gsmtap.html ... but there are only 18 fields in gsmtap, so I don't understand where all the info is coming from that I see in the GUI ... I do see the fields I want in gsm_map, but when I use tshark with gsm_map:
I get no output at all. So I am confused ... If gsmtap is very limited and has only 18 fields, how am I getting all this information in the wireshark GUI that doesn't seem to be included in gsmtap ? Also, why do I get no output at all when I try to run tshark with gsm_map ? Thanks. asked 04 Dec '15, 18:39 wshuser edited 04 Dec '15, 19:55 Guy Harris ♦♦ |
One Answer:
It is not a fault of Wireshark that GSM MAP is not used on the air interface (i.e. between the mobile terminal and base station) but only inside the core network, between the MSC, HLR, VLR etc. So in the GUI, select one of the packets which is not dissected nicely enough by tshark, and in the packet dissection pane, unfold the "frame" level (the topmost one). There, you shall see a line called "Protocols in frame". Its value part is a semicolon-separated list of protocols which the Wireshark dissection engine has detected in the frame. Similarly, you can identify the names of individual fields of each protocol: whenever you click a line decoding a field in the dissection pane, you'll see the field's name in the status line at the bottom of the GUI window. These are the names to be used to compose your tshark display, using answered 05 Dec '15, 00:02 sindy |
Thanks sindy ... for some reason in wireshark GUI (in kali linux) I cannot right-click the lines ... right-click works in other places, but not there. But you are saying I can still look down in the status line at the bottom of the window and see my -e field names there ?
It sounds weird to me that the "non-right-clickability" should be an issue of a particular linux distribution. Would you mind sharing a packet or the whole capture (publishing it somewhere and putting a link here)?
Bear in mind that not each of the lines in packet dissection pane represents a protocol field. So if you select a line (by left-clicking it) and the status line shows some kind of (xxx.yyy) information different from (text), that dissection line should be right-clickable.
But I think you've also misunderstood the meaning of -Y parameter of tshark. The name "display filter" (associated to -Y) may not be self-explanatory itself. It is rather a "filter used at display time", in contrary to a filter used during capture (a capture filter). This distinction comes from the GUI version where you can capture once and change display filter many times. So it does not define which parts of the packet will be displayed but what fields must be present in the packet so that the packet as a whole would be chosen for showing. To choose the fields for display, you can use -V, -O, -T, -e, -E options, while -R or -Y options are used to choose whether a given packet will be displayed or not. The field names to be used both for -Y, -R and -e are the same, but for -Y and -R, you can define conditions for these fields (like
-Y frame.len > 20
, which obviously makes no sense with -e.So as you used "-Y gsm_map", tshark would have displayed gsm_map packets if there were any; as there weren't, it has shown nothing.
So look at the list of protocols as I've suggested in the answer (in the "frame" part of the packet dissection), where you should see something like eth:ethertype:ip:udp:gsmtap:...., and look at the meaning of -O and -V options to tshark. So
tshark -V -Y gsmtap
could be your starting point.Ok, this worked - thank you - I was able to find the names of what I was seeing in the gui, and my eventual command looked like:
tshark -Y '!icmp && gsmtap' -i lo -t ad -T fields -e gsmtap.signal_dbm -e e212.mnc
However, in the wireshark GUI, e212.mnc gives me a number and a human readable output, like this:
Mobile Network Code (MNC): Cingular Wireless (410)
... but in tshark, I just get the number:
410
Is there a way to instruct tshark to decode that number and output the human readable lookup for it, just like it does in wireshark gui ?
Thanks.
If you can post somewhere a capture with this single packet and put here a link, I may be able to answer. Someone else may be able to answer from the top of his head but definitely not me.