Wireshark-users: Re: [Wireshark-users] Need assistance in creating a display filter

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Mon, 27 Jul 2009 13:26:43 -0400

This sounds like a job for MATE:

http://wiki.wireshark.org/Mate

though I'm not sure if you can then iterate over all the Groups of Packets and, say, print them out, but it would work for display filters at least.

Michael R. Pierotti wrote:
Abhik,

Thanks for the info but I already know how to do that. What I am trying to do is filter on ALL of the BEGIN and END messages because we are troubleshooting to see if any of the END messages are missing. Going through each BEGIN to find all END's would be way to time consuming :(

Is there any way to do CDR's in Wireshark? That would work well also.


Thanks,
Mike


-----Original Message-----
From: Abhik Sarkar [mailto:sarkar.abhik@xxxxxxxxx]
Sent: Sunday, July 19, 2009 12:47 PM
To: mike.pierotti@xxxxxxxxxxxxxxxxx; Community support list for Wireshark
Subject: Re: [Wireshark-users] Need assistance in creating a display filter

Hi Michael,
Once you have the capture and have found the BEGIN, expand the TCAP
portion in the packet details pane, bring up the context menu for the
transaction ID and select 'apply as filter selected'.
That should show you all (captured) MSU's with the same transaction ID.
HTH
Abhik

On 7/17/09, Michael R. Pierotti <mike.pierotti@xxxxxxxxxxxxxxxxx> wrote:
I am fairly new to Wireshark when it comes to capturing SIGTRAN and need
assistance in creating a display filter.



What I am attempting to do is capture the TCAP BEGIN with OpCode 66
(readyForSM) and all related TCAP ENDS or TCAP ERRORS for those messages.
Any ideas on how this may be accomplished?



Thanks,