Dear Team, I am trying read diameter pcap dump with tshark by filtering with "session ID" and redirected the output to /tmp folder, when i convert this file (HEX or ASCII) to pcap in text2pcap, it is showing wrong protocols.. tshark -x -r InputFile.pcap -V "diameter.Session-Id == \"MMEC78.MMEGI8024\" > /tmp/filter (-x used for saving in HEX) text2pcap filter outut.pcap --->here my file is converted but it opens in Ethernet/TDMoP/anyother protocols, instead of Diameter..I found this problem with diameter trace file only as this method works fine for my other protocol trace file example.GSM_MAP trace..
please help... asked 21 Feb '17, 06:43  sudheer628 |
2 Answers:
Answer: Got the solution by friend, that my tshark is reading pcap in HEX & non HEX data format, text2pcap is unable to recognize non HEX data..issue resolved by using proper encapsulation type. we used below command which simply consider HEX format only text2pcap -l 113 input output.pcap (where 113 represents the encapsulation of Linux trace) answered 24 Feb '17, 10:43 sudheer628 edited 13 Mar '17, 00:05 |
As the Enables ASCII text dump identification. It allows to identify the start of the ASCII text dump and not include it in the packet even if it looks like HEX. answered 13 Mar '17, 07:40  cmaynard ♦♦ |
Hi, did you attempt for IPv4 or IPv6 ? If IPv6 could you please help with some more details ? thanks in advance