Wireshark mailing list archives
Re: Fitlering messages based on criteria.
From: Sake Blok <sake () euronet nl>
Date: Thu, 5 Aug 2010 07:40:11 +0200
Please advise if its possible in wireshark to display messages based on criteria. E.g. I would like to get traces for all the messages for Particular IMSI. E.g. If IMSI is 404201234567890 Get Transaction id for all the traces where imsi matches and then show all the messages which matches the transaction id. This way I will get all the messages for the transactions matching for this imsi. Appreciate your help in this regard.
There is no direct way in wireshark/tshark to achieve what you describe. However, with a little scripting, you can do this. It involves the following steps: 1) Use tshark with a filter for the IMSI and output the transaction id for each message containing the IMSI (use -T fields) 2) Build a display-filter with the output from 1) that will select all messages containing the transaction id's 3) Use the filter from 2) to run tshark again and write all the packets to a new file My presentation from Sharkfest should be able to help you on the way with this: http://www.cacetech.com/sharkfest.10/A-6_Blok%20HANDS-ON%20LAB%20-%20Using%20Wireshark%20Command%20Line%20Tools%20and%20Scripting.zip Hope this helps, Cheers, Sake ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Fitlering messages based on criteria. Shiju Abraham (Aug 02)
- Re: Fitlering messages based on criteria. Shiju Abraham (Aug 04)
- Re: Fitlering messages based on criteria. Sake Blok (Aug 04)
- Re: Fitlering messages based on criteria. Guy Harris (Aug 05)
- Re: Fitlering messages based on criteria. Sake Blok (Aug 04)
- Re: Fitlering messages based on criteria. Shiju Abraham (Aug 04)