This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What are the filterable fields for RADIUS?

0

How to filter using calling station id.

I used radius.CallingStationId == XX XX XX XX XX but its not working.

Can anyone help ?

asked 21 Jun '16, 04:16

Syd%20Anas's gravatar image

Syd Anas
1111
accept rate: 0%

converted to question 21 Jun '16, 07:01

sindy's gravatar image

sindy
6.0k4851

@Syd Anas, someone can probably help but the chance will be much higher if you ask a separate Question (and specify in the question title which protocol you are talking about, i.e. radius in your case) rather than sticking it as an Answer to a really loosely related one.

(21 Jun '16, 06:35) sindy

If you meant radius.Calling_Station_Id, what does "not working" mean? Do you have a packet with a Calling-Station-Id field with a value of XX XX XX XX XX XX, which isn't matched by the filter?

(21 Jun '16, 11:46) Guy Harris ♦♦

2 Answers:

0

In the packet list, choose a Radius packet which contains the Calling Station ID AVP.

In the dissection pane, click open the packet structure until the Calling Station ID AVP is displayed on a single line, and then right-click that line and choose Apply as Filter or Prepare as Filter. The Display filter field will get filled with field_name == value, you are interested in field_name.

The point is that Radius is an extensible protocol where vendors may contribute their own AVPs so the vendor name became part of the AVP field names.

answered 21 Jun '16, 07:19

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

0

Does radius.Calling_Station_Id work?

answered 21 Jun '16, 11:30

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I'm afraid that radius.Calling_Station_Id is exactly what the OP has posted, except that the site interpreted the underscores as an instruction to print "Station" in italics (possibly my conversion of his Answer to unrelated Question into a new Question has contributed to that).

(21 Jun '16, 11:39) sindy

That's what underscores do in the markup here (which I think is a variant of Markdown). The actual raw content of his question used the "em" tag; I don't know whether he put them there or if it happened as a result of the conversion.

Underscores can be escaped with a backslash - or you can just put the text in backquotes to make it show up as fixed-width text not interpreted with markup.

(21 Jun '16, 11:44) Guy Harris ♦♦