I’m trying to parse the data from a group of Diameter
packets.
I enter the command:
tshark -r mypackets.cap -T fields -e frame.number -e
ip.src -e diameter.hopbyhopid -e diameter.avp | head
It returns the output:
Running as user "root" and group
"root". This could be dangerous.
1 172.16.1.116 0x308853a5 00:00:01:16:40:00:00:0c:4b:5c:56:59
2 172.16.15.38 0x308853a5 00:00:01:16:40:00:00:0c:4b:5c:56:54
3 172.16.1.116
4 172.16.1.116 0x308853a6 00:00:01:16:40:00:00:0c:4b:5c:56:59
5 172.16.15.38 0x308853a6 00:00:01:16:40:00:00:0c:4b:5c:56:54
6 172.16.1.116
7 172.16.1.116 0x308853a7 00:00:01:16:40:00:00:0c:4b:5c:56:59
8 172.16.15.38 0x308853a7 00:00:01:16:40:00:00:0c:4b:5c:56:54
9 172.16.1.116
For the frame.number and diameter.hopbyhopid fields, it gives
the correct output in desired format . For diameter.avp, it does
not.
The returned format is currently
-
in binary format.
-
if I have multiple AVPS on a single
packet, only the last AVP data is presented
for example for
packet number 1 there are 3 AVPs but we only receive data only for the last one
I also add dictionary files and when I use –V option it
then returns the AVP data correctly (shown below)
AVP: Origin-Host(264) l=26 f=-M-
val=sde38.sandvine.com
AVP: Result-Code(268) l=12 f=-M-
val=DIAMETER_SUCCESS (2001)
AVP: Origin-Realm(296) l=20 f=-M-
val=sandvine.com
AVP: Origin-State-Id(278) l=12 f=-M-
val=1264342612
Does anyone have any idea how I can receive all the AVP
fields, and for them to be presented as text (not binary)???
