I am trying to decode raw frames of a diameter call using tshark, all the fields: Command code, Application Id, AVPs are labelled as 'Unknown'. This labelling is followed by a sentence 'if you know what this is you can add it to dictionay.xml'. Am I missing some options? How to resolve this issue?enter image description here
Asked
Active
Viewed 632 times
0
-
What version of `tshark` (Wireshark) are you using? If you're not using the latest version, try upgrading to see if a newer version includes the dissection you're looking for. If you are using the latest version, then you might want to open a Wireshark [Issue](https://gitlab.com/wireshark/wireshark/-/issues) and include a sample capture file. – Christopher Maynard Nov 04 '21 at 14:00
-
I was facing an issue with a locally built version of Wireshark. It got resolved by tracking down the path where tshark was trying to locate the dissector files. – Shriya Nagrath Nov 23 '21 at 10:28
1 Answers
0
For sure, the protocol you're trying to decode (3GPP Cx) is part of Wireshark off-the-shelf dictionary:
jhartman@mbp wireshark-master % grep 16777216 -A 10 diameter/TGPP.xml
<application id="16777216" name="3GPP Cx" uri="http://www.3gpp.org/DynaReport/29229.htm">
<!-- IMS Cx Dx Application -->
<command name="User-Authorization" code="300" vendor-id="TGPP"/>
<command name="Server-Assignment" code="301" vendor-id="TGPP"/>
<command name="Location-Info" code="302" vendor-id="TGPP"/>
<command name="Multimedia-Auth" code="303" vendor-id="TGPP"/>
<command name="Registration-Termination" code="304" vendor-id="TGPP"/>
<command name="Push-Profile" code="305" vendor-id="TGPP"/>
My suggestions:
- Download latest version of Wireshark
- Ensure Wireshark interprets the log as Diameter: Select a frame and choose "Decode As" from contextual menu. Then select "Diameter"
Finally: the screenshot does not have other details, perhaps you could share a few frames from your log to analyse.
Jarek
- 782
- 5
- 16