0

I am trying to add all Input / Output Octet AVPs to calculate total data used against each Rating-Group. The problem is, not always both Input / Output Octet AVPs will present in each Service-Data-Container AVP. While using tshark command with Tfields or Tjson option, the output looses the original hierarchy, making it impossible to figure out which Octet AVP is associated with which Rating-Group.

Here is the simple snapshot of the Rf ACR packet:

Diameter>  
 Service-Information>   
  PS--Information>    
   Service-Data-Container>
    Accounting-Input-Octets=1000
    Accounting-Output-Octets=2000
    Rating-Group=1111
    ...
    ...    
    Service-Data-Container>    
    Accounting-Output-Octets=7000
    Rating-Group=1111
    ...
    ...    
    Service-Data-Container>
    Accounting-Input-Octets=4000
    Rating-Group=2222
    ...
    ...    
    Service-Data-Container>
    Accounting-Input-Octets=6000
    Accounting-Output-Octets=5000
    Rating-Group=2222
    ...
    ...

In above example, if I add, for Rating-Group=1111, total Accounting-Input-Octets are 1000 and Accounting-Output-Octets are 9000. Similarly, for Rating-Group=2222, total Accounting-Input-Octets are 10000 and Accounting-Output-Octets are 5000.

I run tshark with following options:

tshark -r <file.pcap> -Y <diameter_filter> -Tjson  -e diameter.Rating-Group -e diameter.Accounting-Input-Octets -e diameter.Accounting-Output-Octets

[
  {
    "_index": "packets-2019-08-12",
    "_type": "pcap_file",
    "_score": null,
    "_source": {
      "layers": {
        "diameter.Rating-Group": [
          "1111",
          "1111",
          "2222",
          "2222"
        ],
        "diameter.Accounting-Input-Octets": [
          "1000",
          "4000",
          "6000"
        ],
        "diameter.Accounting-Output-Octets": [
          "2000",
          "7000",
          "5000"
        ]
      }
    }
  }
]

As you see, its impossible to aggregate the Octets against Rating-Groups.

I am looking for an option where I could get better hierarchy of the packets, something like below:

[
 {
   "Service-Data-Container":
      {
        "Accounting-Input-Octets":1000
        "Accounting-Output-Octets":2000
        "Rating-Group"=1111
      }
 },
 {
   "Service-Data-Container":
      {
        "Accounting-Output-Octets":7000
        "Rating-Group"=1111
      }
 },
 {
   "Service-Data-Container":
      {
        "Accounting-Input-Octets":4000
        "Rating-Group"=2222
      }
 },
 {
   "Service-Data-Container":
      {
        "Accounting-Input-Octets":6000
        "Accounting-Output-Octets":5000
        "Rating-Group"=2222
      }
 }
]
Patz
  • 294
  • 4
  • 18

2 Answers2

0

I cannot comment, but it will be easier to help you if you add a link to your packet capture to your question.

Without access to the packet capture, I would assume that tshark -r <file.pcap> -Y <diameter_filter> -Tjson would contain all of the information you need (which you can then parse with python).

You may also want to look into pdml/psml output if json doesn't serve your needs as they contain slightly different output.

Ross Jacobs
  • 2,962
  • 1
  • 17
  • 27
0

I believe that you could remove ambiguity in -T json output thanks to this tshark parameter:

--no-duplicate-keys
If a key appears multiple times in an object, only write it a single time with as value a json array containing all the separate values. (Only works with -T json)

So eventually the command should look like:

% tshark -r <pcap file>  -Y diameter -Tjson --no-duplicate-keys

                  "diameter.PS-Information_tree": {
                    "diameter.avp": [
                      "00:00:00:02:c0:00:00:10:00:00:28:af:12:11:0e:d1",
                      "00:00:08:02:c0:00:00:10:00:00:28:af:12:11:0e:d1",
                      "00:00:00:03:c0:00:00:10:00:00:28:af:00:00:00:00",
                      "00:00:04:cb:c0:00:00:12:00:00:28:af:00:01:0a:80:04:04:00:00",
                      "00:00:03:f8:c0:00:00:58:00:00:28:af:00:00:04:04:c0:00:00:10:00:00:28:af:00:00:00:09:00:00:04:0a:80:00:00:1c:00:00:28:af:00:00:04:16:80:00:00:10:00:00:28:af:00:00:00:0c:00:00:04:11:80:00:00:10:00:00:28:af:11:e1:a3:00:00:00:04:10:80:00:00:10:00:00:28:af:23:c3:46:00",
                      "00:00:08:03:c0:00:00:10:00:00:28:af:00:00:00:01",
                      "00:00:04:cc:c0:00:00:12:00:00:28:af:00:01:d9:74:60:ca:00:00",
                      "00:00:03:4f:c0:00:00:12:00:00:28:af:00:01:d9:d6:87:62:00:00",
                      "00:00:07:ff:c0:00:00:10:00:00:28:af:00:00:00:02",
                      "00:00:00:08:c0:00:00:11:00:00:28:af:32:34:30:30:31:00:00:00",
                      "00:00:00:0a:c0:00:00:0d:00:00:28:af:35:00:00:00",
                      "00:00:00:0b:c0:00:00:0d:00:00:28:af:ff:00:00:00",
                      "00:00:00:0c:c0:00:00:0d:00:00:28:af:30:00:00:00",
                      "00:00:00:0d:c0:00:00:10:00:00:28:af:30:63:38:30",
                      "00:00:00:12:c0:00:00:11:00:00:28:af:32:36:30:30:33:00:00:00",
                      "00:00:00:17:c0:00:00:0e:00:00:28:af:40:00:00:00",
                      "00:00:00:16:c0:00:00:19:00:00:28:af:82:62:f0:30:e3:21:62:f0:30:04:47:90:0b:00:00:00",
                      "00:00:00:15:c0:00:00:0d:00:00:28:af:06:00:00:00",
                      "00:00:00:1e:40:00:00:17:74:65:73:74:32:34:2e:74:65:6c:69:61:2e:73:65:00",
                      "00:00:07:fa:c0:00:00:10:00:00:28:af:e3:4b:e2:31"
                    ],
                    "diameter.avp_tree": [
                      {
                        "diameter.avp.code": "2",
                        "diameter.avp.flags": "0x000000c0",
                        "diameter.avp.flags_tree": {
                          "diameter.flags.vendorspecific": "1",
                          "diameter.flags.mandatory": "1",
                          "diameter.avp.flags.protected": "0",
                          "diameter.avp.flags.reserved3": "0",
                          "diameter.avp.flags.reserved4": "0",
                          "diameter.avp.flags.reserved5": "0",
                          "diameter.avp.flags.reserved6": "0",
                          "diameter.avp.flags.reserved7": "0"
                        },
                        "diameter.avp.len": "16",
                        "diameter.avp.vendorId": "10415",
                        "diameter.3GPP-Charging-Id": "12:11:0e:d1"
                      },
                      {
                        "diameter.avp.code": "2050",
                        "diameter.avp.flags": "0x000000c0",
                        "diameter.avp.flags_tree": {
                          "diameter.flags.vendorspecific": "1",
                          "diameter.flags.mandatory": "1",
                          "diameter.avp.flags.protected": "0",
                          "diameter.avp.flags.reserved3": "0",
                          "diameter.avp.flags.reserved4": "0",
                          "diameter.avp.flags.reserved5": "0",
                          "diameter.avp.flags.reserved6": "0",
                          "diameter.avp.flags.reserved7": "0"
                        },
                        "diameter.avp.len": "16",
                        "diameter.avp.vendorId": "10415",
                        "diameter.PDN-Connection-Charging-ID": "303107793"
                      },
                      {
                        "diameter.avp.code": "3",
                        "diameter.avp.flags": "0x000000c0",
                        "diameter.avp.flags_tree": {
                          "diameter.flags.vendorspecific": "1",
                          "diameter.flags.mandatory": "1",
                          "diameter.avp.flags.protected": "0",
                          "diameter.avp.flags.reserved3": "0",
                          "diameter.avp.flags.reserved4": "0",
                          "diameter.avp.flags.reserved5": "0",
                          "diameter.avp.flags.reserved6": "0",
                          "diameter.avp.flags.reserved7": "0"
                        },
                        "diameter.avp.len": "16",
                        "diameter.avp.vendorId": "10415",
                        "diameter.3GPP-PDP-Type": "0"
                      },
Jarek
  • 782
  • 5
  • 16