Stop tshark printing out on screen

Question

Hello everybody, I'm using tshark to read a pcap file of Diameter Protocol. Normally, I use "tshark -r", but doing this, it does not decode the AVP value (" val=%s") (function "dissect_diameter_avp" in "packet-diameter.c"). When I use option "-T ek", tshark is able to decode AVP value. But in this way, it prints a lot of information on screen and slow down the performance. Please help me to clarify two problems:

Can I get AVP value (by coding) without using option "-T ek" ?
If NOT, is there any way to stop printing out on screen with option "-T ek"?

Thank you very very much.

Accepted Answer

I'm not familiar with using -T ek, but if you know the AVP value you're looking for, you can get it with -T fields. For example, suppose you want the Session-Id:

tshark -r diameter.pcap -Y "diameter.Session-Id" -T fields -e "diameter.Session-Id"

If you want the value of all AVP's, that's a little harder. I suppose you could run through the file multiple times for each AVP? I don't know what you're trying to do, but here's a script that does that, which may or may not help you:

#!/bin/sh
# Check usage
if (( ${#} < 1 ))
then
        echo "Usage: $0 <file>"
        exit 0
fi
tshark -r ${1} -Y "diameter.avp.code" -O diameter | grep "AVP Code:" | sed 's/^.*AVP Code: //g' > avp_codes.txt
cat avp_codes.txt | sort | uniq | cut -d ' ' -f 2 | sort > avp_codes_sorted.txt
avps=cat avp_codes_sorted.txt
for avp in ${avps}; do
field=echo $avp | tr -d &#39;\r\n&#39;
tshark -r ${1} -Y "diameter.$field" -T fields -e "diameter.$field"
done