Wireshark-users: Re: [Wireshark-users] Fitlering messages based on criteria.
From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 5 Aug 2010 07:40:11 +0200
>> Please advise if its possible in wireshark to display messages based
>> on criteria. E.g. I would like to get traces for all the messages for
>> Particular IMSI.
>> 
>> E.g. If IMSI is 404201234567890
>> Get Transaction id for all the traces where imsi matches and then show
>> all the messages which matches the transaction id. This way I will get
>> all the messages for the transactions matching for this imsi.
>> Appreciate your help in this regard.

There is no direct way in wireshark/tshark to achieve what you describe. However, with a little scripting, you can do this. It involves the following steps:

1)  Use tshark with a filter for the IMSI and output the transaction id for each message containing the IMSI (use -T fields)
2)  Build a display-filter with the output from 1) that will select all messages containing the transaction id's
3)  Use the filter from 2) to run tshark again and write all the packets to a new file

My presentation from Sharkfest should be able to help you on the way with this:

http://www.cacetech.com/sharkfest.10/A-6_Blok%20HANDS-ON%20LAB%20-%20Using%20Wireshark%20Command%20Line%20Tools%20and%20Scripting.zip

Hope this helps,
Cheers,


Sake