Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 5969] New: Frame with ISUP protocol show OPC and DPC as ip

Date: Sat, 28 May 2011 06:01:26 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5969

           Summary: Frame with ISUP protocol show OPC and DPC as ip.src
                    and ip.dst when column.format is used
           Product: Wireshark
           Version: 1.4.4
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: TShark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: ml@xxxxxxxxxx


Build Information:
TShark 1.4.4

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.28.0, with libpcap 1.1.1, with libz 1.2.5, with
POSIX capabilities (Linux), without libpcre, with SMI 0.4.8, with c-ares 1.7.4,
with Lua 5.1, without Python, with GnuTLS 2.8.6, with Gcrypt 1.4.6, with MIT
Kerberos, with GeoIP.

Running on Linux 2.6.37.6-0.5-default, with libpcap version 1.1.1, with libz
1.2.5.

Built using gcc 4.5.1 20101208 [gcc-4_5-branch revision 167585].

--
When running this command the ip.src and ip.dst are shown as expected:
> tshark -r isup.pcap -T fields -E separator=';' -e frame.number -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e tcp.len 
1;May 18, 2011 11:40:59.025670000;10.45.85.5;;10.45.245.201;;
2;May 18, 2011 11:40:59.025670000;10.45.85.5;;10.45.245.201;;

When using a similar command the output is:
> tshark -t a  -r isup.pcap  -o 'column.format: "frame", %m, "time", %t, "ip.src", %s, "ip.dst", %d'
  1 11:40:59.025670        12718 -> 12112       
  2 11:40:59.025670        12718 -> 12112  

Here the source and destination are not as expected.  This output makes it hard
to use, as IP addresses are mixed with OPC / DPC.  See output below, for such a
result:

> tshark -t a  -r mtp3.pcap  -o 'column.format: "frame", %m, "time", %t, "ip.src", %s, "ip.dst", %d' 
.......
 17 11:40:58.907485  10.45.112.4 -> 10.45.85.5  
 18 11:40:58.908207  10.45.112.4 -> 10.45.48.12 
 19 11:40:58.910455  10.45.112.4 -> 10.45.85.5  
 20 11:40:58.913657   10.45.85.5 -> 10.45.112.4 
 21 11:40:58.916094   10.45.85.5 -> 10.45.112.4 
 22 11:40:58.936061        12818 -> 12811       
 23 11:40:58.990713        12680 -> 12818       
 24 11:40:59.025670        12718 -> 12112       
 25 11:40:59.025670        12718 -> 12112       
 26 11:40:59.774402        12112 -> 12718       
 27 11:40:59.777204   10.45.85.5 -> 10.45.85.37 
 28 11:40:59.820842  10.45.85.37 -> 10.45.85.5  
 29 11:40:59.832941   10.45.85.5 -> 10.45.112.4 
 30 11:40:59.835355   10.45.85.5 -> 10.45.112.4 
.......
Many more packages with ip addresses and OPC's and DPC's mangled.

Is it possible to adapt the column.format output so the IP addresses are shown
for ISUP messages. The OPC and DPC could be shown in the info (%i)
column.format message.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.