This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark -E occurrence=a format

0

I want to parse only field that I want, by Tshark using bellow tshark command:

tshark -n -T fields -E header=y -E separator=, -E quote=d -E occurrence=a -e diameter.Session-Id -e diameter.cmd.code -e diameter.applicationId -e diameter.flags.request -e diameter.flags.T -e diameter.CC-Request-Type -e diameter.Framed-IP-Address.IPv4 -e diameter.Result-Code -r "Diameter packet.pcap" >> "diameter.csv"

the result is

diameter.Session-Id diameter.cmd.code diameter.applicationId diameter.flags.request diameter.flags.T diameter.CC-Request-Type GatewayService-5-1.spjktn002.;1481027351;2178169507,GatewayService-4-1.spjktn002.;1481029199;23273131 272,272 4,4 0,0 0,0 2,2

above format is difficult to be analysis and filter.

what I need is separated this information into row as bellow :

diameter.Session-Id "diameter .cmd.code" "diameter. applicationId" "diameter. flags.request" diameter.flags.T diameter.CC-Request-Type diameter.Framed-IP-Address.IPv4 diameter.Result-Code GatewayService-5-1.spjktn002.;1481027351;2178169507 272 4 0 0 2 2001 GatewayService-4-1.spjktn002.;1481029199;23273131 272 4 0 0 2 2001

is there any solution for my problem ?

asked 02 Jan '17, 01:31

bmulya's gravatar image

bmulya
6114
accept rate: 0%

edited 03 Jan '17, 00:34

I uploaded a sample to : https://www.cloudshark.org/captures/69f3a4de2b99

(02 Jan '17, 01:40) bmulya

One Answer:

1

I asked a similar question on this point a few years ago, where there are multiple Diameter AVP values of the same type in the same packet, and from that the intent was to generate per-record rows: https://ask.wireshark.org/questions/21428/tshark-e-output-how-to-bind-value-to-a-protocol-container

In short, Tshark's -T fields option alone can't really accomplish this, since you have two Diameter-level containers in the same packet, meanwhile Tshark is just looking for all occurrances of a given attribute indiscriminately of where they appear in the packet itself.

My solution back then was to use -O, and to write a perl script to do the work of putting each unique Diameter container into its own array to then print out columns. It's likely that MATE, or a Lua script could be written to achieve something like this although I haven't personally explored either option. Tshark can't do this, though.

answered 02 Jan '17, 15:37

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 02 Jan '17, 15:38

is anyone can help with lua script or perl ? I have no programming skill.

(04 Jan '17, 19:16) bmulya

Your answer has been converted to a comment as that's how this site works. Please read the FAQ for more information.

(04 Jan '17, 22:30) Jaap ♦