This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

text2pcap is not converting diameter trace

0

Dear Team, I am trying read diameter pcap dump with tshark by filtering with "session ID" and redirected the output to /tmp folder, when i convert this file (HEX or ASCII) to pcap in text2pcap, it is showing wrong protocols..

tshark -x -r InputFile.pcap -V "diameter.Session-Id == \"MMEC78.MMEGI8024\" > /tmp/filter (-x used for saving in HEX)

text2pcap filter outut.pcap --->here my file is converted but it opens in Ethernet/TDMoP/anyother protocols, instead of Diameter..I found this problem with diameter trace file only as this method works fine for my other protocol trace file example.GSM_MAP trace..

alt text

please help...

asked 21 Feb '17, 06:43

sudheer628's gravatar image

sudheer628
6224
accept rate: 0%


2 Answers:

0

Answer: Got the solution by friend, that my tshark is reading pcap in HEX & non HEX data format, text2pcap is unable to recognize non HEX data..issue resolved by using proper encapsulation type. we used below command which simply consider HEX format only

text2pcap -l 113 input output.pcap (where 113 represents the encapsulation of Linux trace)

answered 24 Feb '17, 10:43

sudheer628's gravatar image

sudheer628
6224
accept rate: 0%

edited 13 Mar '17, 00:05

Hi, did you attempt for IPv4 or IPv6 ? If IPv6 could you please help with some more details ? thanks in advance

(13 Mar '17, 09:29) Vijay Gharge

0

As the text2pcap man page indicates, you can use the -a option:

Enables ASCII text dump identification. It allows to identify the start of the ASCII text dump and not include it in the packet even if it looks like HEX.

answered 13 Mar '17, 07:40

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%