Second Simulcrypt layer field value with same name is not accessible

Question

(This issue is similar to Alex Wang's question, but the answer there was protocol-specific)

I like that Wireshark has support for Simulcrypt but there are limitations: display filters are applied at the packet level, so often give ambiguous results from packets with multiple Simulcrypt messages per packet.

I elected to use Pyshark to extract the details of each ECMG<>SCS message from a pcap to an Excel sheet where I can apply column filtering, conditional formatting, etc, to follow specific "conversations."

The CW_provision message contains a pair of CP_CW_combination parameters. I am able to extract only one of these and need to extract the second.

Here are the details:

I created a pcap with a single CW_provision message (probably not relevant, but the display filter hits on the second CP_CW_combination that I can't get to with Pyshark). Here's how it looks in Wireshark:

screenshot (link only 'cause I'm a noob)

Here is Pyshark in action getting the first CP_CW_provision. How to get the second?

>>> import pyshark  
>>> cap=pyshark.FileCapture('CW_provision.pcap')  
>>> pkt=cap[0]  
>>> pkt.layers  
[<ETH Layer>, <IP Layer>, <TCP Layer>, <SIMULCRYPT Layer>]  
>>> sc=pkt[3]  
>>> sc.pretty_print()  
Layer SIMULCRYPT:  
        Header, Length: 5 bytes  
        Version: 0x02  
        Message Type: CW_PROVISION (0x0201)  
        Interface: ECMG <-> SCS  
        Message Length: 76 bytes  
        Message containing TLV parameters, Length: 76 (bytes)  
        Parameter: Type=ECM_CHANNEL_ID, Value Length=2 (bytes), Value=0x1f91  
        Parameter Type: ECM_CHANNEL_ID (0x000e)  
        Parameter Length: 2 bytes  
        ECM channel ID: 8081  
        ECM stream ID: 27  
        CP number: 36374  
        CP CW combination: 8e1675[snip]  
        CP duration: 100 (10000 ms)  
        Access criteria: 1136f100  
        Parameter: Type=ECM_STREAM_ID, Value Length=2 (bytes), Value=0x001b  
        Parameter: Type=CP_NUMBER, Value Length=2 (bytes), Value=0x8e16  
        Parameter: Type=CP_CW_COMBINATION, Value Length=18 (bytes), Value=0x8e1675[snip]  
        Parameter: Type=CP_CW_COMBINATION, Value Length=18 (bytes), Value=0x8e1709[snip]  
        Parameter: Type=CP_DURATION, Value Length=2 (bytes), Value=0x0064  
        Parameter: Type=ACCESS_CRITERIA, Value Length=4 (bytes), Value=0x1136f100  
        Parameter Type: ECM_STREAM_ID (0x000f)  
        Parameter Type: CP_NUMBER (0x0012)  
        Parameter Type: CP_CW_COMBINATION (0x0014)  
        Parameter Type: CP_CW_COMBINATION (0x0014)  
        Parameter Type: CP_DURATION (0x0013)  
        Parameter Type: ACCESS_CRITERIA (0x000d)  
        Parameter Length: 2 bytes  
        Parameter Length: 2 bytes  
        Parameter Length: 18 bytes  
        Parameter Length: 18 bytes  
        Parameter Length: 2 bytes  
        Parameter Length: 4 bytes  
        CP CW combination: 8e1709[snip]  
>>> cpcw0=sc.cp_cw_combination  
>>> cpcw0  
'8e:16:75:[snip]'  
>>> cpcw1=sc.?????  

Answer 1

You can access them from within the same field. That means that from the field "cp_cw_combination" you need to get its alternate fields; Below you can find an example to list all of the values:

for x in cap[0][3]._all_fields.values():
    if 'cp_cw_combination' in x.name:
        print(x.all_fields)
        break

Answer 2

Try having a look at: pkts[pkt_number].get_multiple_layers('name')

Had a simular issue:

print(dir(pkts[1]))

..., 'plp', 'plp-flexray', 'plp-flexray', 'pretty_print', 'show', 'sniff_time', 'sniff_timestamp', 'transport_layer']

Here I wanted both plp-flexray and print(pkts[1].get_multiple_layers('plp-flexray')) returned:

[<PLP-FLEXRAY Layer>, <PLP-FLEXRAY Layer>]

Only started playing around with pyshark today, there might be a quicker way to do what I have done here, but this worked for me.