Hi everyone, I'm using tshark to dissect Diameter pcap by this command: but by doing this, some AVPs aren't dissected. I didn't face this problem with Camel. After that, I changed the command: My objective is to force the dissector going through all AVP. But in this way, it always spends 100% CPU and slow down the progress (like using filter). So I modified the source code of tshark.c by adding "print_details = TRUE" and remove the option "-T fields -e "diameter.Session-Id" in the command. It works but CPU still high (90%). Running with Camel, it spend only ~ 40% CPU Can you help me to find the way to force the dissector going through all AVP (by tshark or changing code) without using options like filter so that it can make my program faster? Thank you for your help. P/S: I also try -V option, it works but CPU still 100% :-s asked 27 Oct '17, 22:15  hoangsonk49 edited 28 Oct '17, 04:37 |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
"Aren't dissected" in what sense? That command isn't doing a verbose dissection, so I wouldn't expect any AVPs to show up in the TShark output. If you want the output of TShark to show the AVPs, you'd need to use the -V flag, to show the detailed dissection.
What exactly are you trying to do here?
Yes, packet dissection is a CPU-intensive process.
What do you mean "go through all the AVPs?" *shark will dissect the AVPs that it needs to based on what you ask it to do.
For example if you ask it to print all the AVPs (e.g., with
-V) then it will (necessarily) dissect all the AVPs.If, however, you ask it to only print the packet summaries (
-P) it probably won't need to dissect many AVPs at all (if any) since it's not building a decode tree.