This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to find unreplied TCAP requests

Is it possible to run any script in Wireshark to extend filter capabilities? I have a pcap file with requests/responses. Each request/response pair has unique id. I need to find all requests which don't have response pair. What would be the best way to find such responses in Wireshark?

The protocol is TCAP. I'm analyzing Source Transaction ID and Destination Transaction ID fields.

filter tcap

asked 13 Apr '17, 08:10

Soteric
6●1●1●3
accept rate: 0%

edited 13 Apr '17, 11:53

JeffMorriss ♦
6.2k●5●72

You need to tell us what requests and responses you're working with. There are some cases where Wireshark correlates the request packet with the response packet. Wireshark puts a link to the response in the request packet, and a link to the request in the response packet. In those cases, it is possible to build a filter to show requests with no responses. DNS and HTTP are examples where this can be done.

(13 Apr '17, 09:03) Jim Aragon

Thanks for pointing this. I added protocol details. It is TCAP. And transaction ID is the field I'm looking at.

(13 Apr '17, 09:11) Soteric

One Answer:

Depending on your needs you may be able to do this by:

Enabling the TCAP dissector's Service Response Time Analyze preference
Enabling the TCAP dissector's Persistence stats for SRT preference
Filtering for, for example, tcap.begin_element && !tcap.srt.begin

If that doesn't work for your needs then you may have to use MATE.

answered 13 Apr '17, 11:56

JeffMorriss ♦
6.2k●5●72
accept rate: 27%