2010-01-26 16:59:19If you have a pcap file, which is captured with tcpdump -w dump.pcap, and want to extract transport level protocol (TCP, UDP or other) bytes from each packet, task might not be as trivial as it seems. I ended up with the solution which uses tshark command line program, which is a part of Wireshark Network Analyzer package.
1. Disable application level protocol (in my case it was GTP), so that its dissector is never called, hence packet is interpreted as raw TCP or UDP packet:
$ echo gtp > ~/.wireshark/disabled_protos
2. For each packet, print its hexadecimal representation of bytes and save it to file. I also used read filter which takes only GTP’ Data Record Transfer Request packets and prefixed each packet with its frame number:
$ tshark -r dump.pcap -R 'frame[48:1] == FC' -T fields -e frame.number -e data > packets
3. For each packet, convert its hexadecimal representation of bytes to “real” bytes and write it to file named pct/[frame number]. I only took just some of them since I wanted to extract every charging data record (which is prefixed by it’s length) from each Data Record Transfer Request:
$ awk '{data=substr($2, 27); while (length(data) > 0) {len=strtonum("0X" substr(data, 1, 4)); cdr=substr(data, 5, len*2); for(i=1;i<=length(cdr);i+=2) {printf("%c", strtonum("0x" substr(cdr, i, 2))) > "pct/"$1}; data=substr(data, 4+len*2+1)}}' packets
Naujausi komentarai