This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Stop tshark printing out on screen

0

Hello everybody, I'm using tshark to read a pcap file of Diameter Protocol. Normally, I use "tshark -r", but doing this, it does not decode the AVP value (" val=%s") (function "dissect_diameter_avp" in "packet-diameter.c"). When I use option "-T ek", tshark is able to decode AVP value. But in this way, it prints a lot of information on screen and slow down the performance. Please help me to clarify two problems:

  • Can I get AVP value (by coding) without using option "-T ek" ?
  • If NOT, is there any way to stop printing out on screen with option "-T ek"?

Thank you very very much.

asked 20 Sep '17, 03:42

hoangsonk49's gravatar image

hoangsonk49
81282933
accept rate: 28%

edited 20 Sep '17, 03:43


One Answer:

2

I'm not familiar with using -T ek, but if you know the AVP value you're looking for, you can get it with -T fields. For example, suppose you want the Session-Id:

tshark -r diameter.pcap -Y "diameter.Session-Id" -T fields -e "diameter.Session-Id"

If you want the value of all AVP's, that's a little harder. I suppose you could run through the file multiple times for each AVP? I don't know what you're trying to do, but here's a script that does that, which may or may not help you:

#!/bin/sh
# Check usage
if (( ${#} < 1 ))
then
        echo "Usage: $0 <file>"
        exit 0
fi

tshark -r ${1} -Y "diameter.avp.code" -O diameter | grep "AVP Code:" | sed 's/^.*AVP Code: //g' > avp_codes.txt

cat avp_codes.txt | sort | uniq | cut -d ' ' -f 2 | sort > avp_codes_sorted.txt

avps=cat avp_codes_sorted.txt for avp in ${avps}; do field=echo $avp | tr -d &#39;\r\n&#39; tshark -r ${1} -Y "diameter.$field" -T fields -e "diameter.$field" done

answered 20 Sep ‘17, 15:20

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Thank you, cmaynard. My problem solved. Thanks for your very useful support :)

(20 Sep ‘17, 18:26) hoangsonk49