I need to extract the UM data from RLC-LTE packets so I can compare this data between two captures to see which one is missing what.... Based on experience so far, I don't think Wireshark has the capability of doing this, but is there a way to extract this data, or am I out of luck? Below is a picture of what I am trying to extract. Certain portions of the picure are blacked out for confidenciality reasons. The data of interest is circled in red: Let me know if you have any questions; I will try to answer them as best I can. asked 13 May '16, 09:31  Midimistro |
One Answer:
As usual help via screenshots is difficult, in particular when you've redacted the bit of the status bar that would give you the answer. The field name for UM Data is This field name can be used in a command line tshark command to print out the field values, e.g. answered 13 May '16, 11:19  grahamb ♦ I'll test that to see if it works next week. Thank you. (13 May '16, 14:12) Midimistro |
I'm not sure exactly what you want to compare in terms of missing data, but if you turn on UM sequence analysis you will find out about any lost packets at the RLC/UM level. If you configure PDCP to be decoded, you can enable sequence analysis at that level too. And if PDCP is carrying unencrypted IP traffic you can decode that and maybe the protocol it is carrying will highlight missing data. If PDCP is encrypted and you have the key information, you may be able to decrypt it.
I don't remember what versions of Wireshark first had these features, 1.10 is a fairly old.