-2

I'm trying to generate a json file from a .pcap witth only a few fields. The first thing I'm doing is exporting the whole .pcap as a json file to see the fields I want to extract (File - Export Packet Dissections - As json). Then I execute tshark with the next sintax:

tshark -r example.pcap -T json > example.json -e ip.dst -e ip.src -e gsm_map.ms.sai_Present

And the result of the last command is:

Tshark - Some fields aren't valid: gsm_map.ms.sai_Present

Any idea?

Luka
  • 115
  • 7

1 Answers1

2

According to Wireshark's online Display Filter Reference page, the gsm_map.ms.sai_Present field was only present in Wireshark versions 1.0.0 to 1.10.14. Perhaps you're looking for gsm_map.ms.sai_Present_element now?

Christopher Maynard
  • 5,702
  • 2
  • 17
  • 23
  • Not at all, when I export the pcap as json format that field exists. Even i can see in the wireshark program. However, I think that field is not supported by the tshark version I'm using – Luka Dec 12 '20 at 16:36
  • 1
    *"Even i can see in the wireshark program"*. Where do you see that? The name of the display filter is **definitely** `gsm_map.ms.sai_Present_element`, as can be seen around line 28728 of the packet-gsm_map.c file here: https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-gsm_map.c. Maybe you are confusing the display filter with the *"sai-Present"* text that's displayed? – Christopher Maynard Dec 12 '20 at 20:39
  • 1
    It's much easier to browse the source code online in the old repo, although keep in mind it's not the latest code anymore. But compare https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-gsm_map.c;h=a08b0ec8e6216e72b831cd266f3aa9ab6f3effe7;hb=HEAD#l28277 with the master-1.0 source code at https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-gsm_map.c;h=eb60b058fff5ea3b7a34fed24f376630e002ef74;hb=refs/heads/master-1.0#l20092 and you'll clearly see the difference in the display filter name. – Christopher Maynard Dec 12 '20 at 20:42
  • Thanks a lot @Christopher Maynard. Another doubt, where can I find the code that wireshark is using to see all the variables and values that they assign. Could I see in a .py? Thanks in advance – Luka Dec 15 '20 at 09:23
  • I provided a link to the Wireshark source code. It is largely written in C and C++, not Python. If you're interested in building Wireshark itself, then I'd suggest reading the Wireshark Developer's Guide at: https://www.wireshark.org/docs/wsdg_html_chunked/, or if you're just interested in downloading the source code, then refer to section 3.4 of the Developer Guide: https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcObtain.html. – Christopher Maynard Dec 15 '20 at 15:25