Wireshark-users: Re: [Wireshark-users] Mutliple m3ua messages in one frame
From: Jeff Morriss <[email protected]>
Date: Mon, 25 Oct 2010 16:35:10 -0400
Milan STANCIC wrote:
Hello

Can somebody to help me ?

I got some simple problem maybe you can help me...

Exactly, I should extract m3ua/sccp/tcap/gsm_map/gsm_sms payloads from
frame for purpose of collection of CDR's.. Problem is in case when you
got in one frame more than one m3ua message, Tshark give us just one
line, last one. please symptoms.

---------------------
[email protected]:/home/milan/Downloads# tshark -R 'frame.number == 1010' -e
frame.number -e m3ua.protocol_data_opc -e m3ua.protocol_data_dpc -r
malta.pcap  -Tfields
Running as user "root" and group "root". This could be dangerous.
1010    6137    8455 ----//// it is just last m3ua message
-----------------------------------------

So, I have tried next:
to use MATE: please see config file...

wireshark -o "mate.config: m3ua_v04.mate" -r malta.pcap

There is two MATE section but not each of wanted attributes.. please see
mate_example.png and m3ua_v04.mate
You might also want to consider exporting the data to PDML and parsing 
that to get what you need.