This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to extract smpp.message using tshark?

0

I am trying to extract SMPP message content using tshark.

But when I use -T fields -e "smpp.message" it only prints 1 and not the actual message.

C:\Program Files\Wireshark>tshark -r SMPP.pcap -2 -R "(smpp.command_id == 0x00000004)" -T fields -e         smpp.message -E header=y
smpp.message
1
1
1
1
1
1
1
1
1

If I use -T text -x parameters it shows the actual message, but I cant filter to only shows the smpp message.

When i consult tshark -G it shows:

F   Message smpp.message    FT_NONE smpp    The actual message or data.

What I am doing wrong?

asked 27 Jan '17, 06:37

Bricio's gravatar image

Bricio
11114
accept rate: 0%

One Answer:

0

The latest version of packet-smpp.c shows FT_BYTES, not FT_NONE. Here's the exact change.

Try upgrading Wireshark. You can even get a very recent automated version.

answered 27 Jan '17, 13:44

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

TY, is there a way, inside wireshark, to return this field as STRING? My smpp messages is always strings. I don't have c or c++ compiler to change the file and recompile.

(29 Jan '17, 04:28) Bricio

Without modifying the Wireshark sources and recompiling it, you can probably achieve this with some scripting, removing the :'s and converting each hex byte to its ASCII-equivalent character.

(30 Jan '17, 07:19) cmaynard ♦♦