This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extract UM Data from RLC-LTE packets

0

I need to extract the UM data from RLC-LTE packets so I can compare this data between two captures to see which one is missing what.... Based on experience so far, I don't think Wireshark has the capability of doing this, but is there a way to extract this data, or am I out of luck?

Below is a picture of what I am trying to extract. Certain portions of the picure are blacked out for confidenciality reasons. The data of interest is circled in red: Wireshark PCAP screenshot outlining UM data of interest

Let me know if you have any questions; I will try to answer them as best I can.

asked 13 May '16, 09:31

Midimistro's gravatar image

Midimistro
116610
accept rate: 50%

I'm not sure exactly what you want to compare in terms of missing data, but if you turn on UM sequence analysis you will find out about any lost packets at the RLC/UM level. If you configure PDCP to be decoded, you can enable sequence analysis at that level too. And if PDCP is carrying unencrypted IP traffic you can decode that and maybe the protocol it is carrying will highlight missing data. If PDCP is encrypted and you have the key information, you may be able to decrypt it.

I don't remember what versions of Wireshark first had these features, 1.10 is a fairly old.

(13 May '16, 13:33) MartinM

One Answer:

1

As usual help via screenshots is difficult, in particular when you've redacted the bit of the status bar that would give you the answer.

The field name for UM Data is rlc-lte.um.data, as would be seen in the status bar (in parentheses) when you click on a field of interest in the packet details pane.

This field name can be used in a command line tshark command to print out the field values, e.g. tshark -r <capturefile> -T fields -e rlc-lte.um.data. Add additional -e options for additional fields and then post process the results from your captures to compare the data.

answered 13 May '16, 11:19

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

I'll test that to see if it works next week. Thank you.

(13 May '16, 14:12) Midimistro