Wireshark-users: [Wireshark-users] Mutliple m3ua messages in one frame
From: Milan STANCIC <[email protected]>
Date: Thu, 21 Oct 2010 10:01:39 +0200

Can somebody to help me ?

I got some simple problem maybe you can help me...

Exactly, I should extract m3ua/sccp/tcap/gsm_map/gsm_sms payloads from
frame for purpose of collection of CDR's.. Problem is in case when you
got in one frame more than one m3ua message, Tshark give us just one
line, last one. please symptoms.

[email protected]:/home/milan/Downloads# tshark -R 'frame.number == 1010' -e
frame.number -e m3ua.protocol_data_opc -e m3ua.protocol_data_dpc -r
malta.pcap  -Tfields
Running as user "root" and group "root". This could be dangerous.
1010    6137    8455 ----//// it is just last m3ua message

So, I have tried next:
to use MATE: please see config file...

wireshark -o "mate.config: m3ua_v04.mate" -r malta.pcap

There is two MATE section but not each of wanted attributes.. please see
mate_example.png and m3ua_v04.mate



Pdu m3ua_pdu Proto m3ua Transport ip/m3ua/sccp/tcap/gsm_map/gsm_sms {
        Extract ip.src From ip.src;
        Extract ip.dst From ip.dst;
        Extract ip.dst From ip.dst;
        Extract m3ua.protocol_data_opc From m3ua.protocol_data_opc;
        Extract sccp.calling.digits From sccp.calling.digits;
        Extract tcap.tid From tcap.tid;
        Extract  gsm_map.sm.msisdn  From  gsm_map.sm.msisdn ;
        Extract  gsm_sms.tp-oa  From  gsm_sms.tp-oa ;
        Extract  gsm_map.old.Component  From  gsm_map.old.Component ;


