This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filtering for Diameter session ID in tshark

0

dear team, in addition to above query, could you please help me to filter diameter messages in TSHARK using Session id..

i am able to display capyured diameter send & received messages in wireshark, i want to do the same in TSHARK in my script, but getting error as "tshark: ";" was unexpected in this context."

tshark.exe -r dia.pcap -V "diameter.Session-Id == "MMEC78.MMEGI8024.MME.EPC.MNC007.MCC404.3GPPNETWORK.ORG;3332250302;92145410;mme""

error: tshark: ";" was unexpected in this context.

please suggest.

asked 26 Jan '17, 11:31

sudheer628's gravatar image

sudheer628
6224
accept rate: 0%

converted to question 26 Jan '17, 11:36

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572

I converted your Answer to this question to a new question. This is a Q&A site, not a forum--please see the FAQ.

(26 Jan '17, 11:37) JeffMorriss ♦

One Answer:

0

You have to escape the inner double quotes:

tshark.exe -r dia.pcap -V "diameter.Session-Id == \"MMEC78.MMEGI8024.MME.EPC.MNC007.MCC404.3GPPNETWORK.ORG;3332250302;92145410;mme\""

answered 26 Jan '17, 12:20

Uli's gravatar image

Uli
9031515
accept rate: 29%

Thanks Uli.. it works.. could you help related query.. i want to filter diamter user name, it works in wireshark but i get nothing in tshark (not even a error), reason is that tshark is not reading AVP: user-name message, which contains my IMSI (its LTE Mobile trace).

tshark filter used: tshark.exe -r dia.pcap -V "diameter.User-Name == "404071610557333""

kindly help..

(26 Jan '17, 12:47) sudheer628

Looks like the same reason: escape the inner quotes?

tshark.exe -r dia.pcap -V "diameter.User-Name == \"404071610557333\""

(26 Jan '17, 13:32) Uli

Not sure if your issue was resolved. I want to add here that tshark.exe -r dia.pcap -R "diameter.User-Name == 404071610557333" -O diameter command shall provide you desired results. Besides I you to use latest wireshark app as and when you can.

(13 Mar '17, 10:04) Vijay Gharge