Capture Diameter Messages without wire-shark.

There are various utilities available on Linux server, but here we are discussing the command that shall give you an exhaustive information for each AVP.

Kindly check tshark is installed. 
[If any other utility is better than tshark,Do share, your suggestions are warmly welcome]

1) tshark -R diameter -V | grep 'Frame\|Arrival Time:\|Internet Protocol Version\|Src Port:\|Diameter Protocol\|Request:\|Command Code:\|AVP:\|Result-Code'


OutPut:

Frame 3534 (268 bytes on wire, 268 bytes captured)
    Arrival Time: Apr 15, 2013 15:47:01.412548000
    Frame Number: 3534
    Frame Length: 268 bytes
    [Frame is marked: False]
Transmission Control Protocol, Src Port: 38275 (38275), Dst Port: avocent-adsap (3871), Seq: 1, Ack: 1, Len: 200
Diameter Protocol
        1... .... = Request: Set
    Command Code: 257 Capabilities-Exchange
    AVP: Origin-Host(264) l=19 f=-M- val=101.134.771.143
    AVP: Origin-Realm(296) l=26 f=-M- val=abc123.ABC.org
    AVP: Host-IP-Address(257) l=14 f=-M- val=101.134.771.143 (101.134.771.143)
    AVP: Vendor-Id(266) l=12 f=-M- val=11
    AVP: Product-Name(269) l=23 f=--- val= Cx Interface
    AVP: Origin-State-Id(278) l=12 f=-M- val=1094807040
    AVP: Supported-Vendor-Id(265) l=12 f=-M- val=10415
    AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP CX/DX (16777216)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=11
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP CX/DX (16777216)
    AVP: Firmware-Revision(267) l=12 f=--- val=1
Frame 3543 (408 bytes on wire, 408 bytes captured)
    Arrival Time: Apr 15, 2013 15:47:01.418472000
    Frame Number: 3543
    Frame Length: 408 bytes
    [Frame is marked: False]
Transmission Control Protocol, Src Port: avocent-adsap (3871), Dst Port: 38275 (38275), Seq: 1, Ack: 201, Len: 340
Diameter Protocol
        0... .... = Request: Not set
    Command Code: 257 Capabilities-Exchange
    AVP: Origin-Host(264) l=28 f=-M- val=abc.xyz.com
    AVP: Origin-Realm(296) l=23 f=-M- val=xyz.com
    AVP: Result-Code(268) l=12 f=-M- val=DIAMETER_SUCCESS (2001)
        AVP Code: 268 Result-Code
        Result-Code: DIAMETER_SUCCESS (2001)
    AVP: Host-IP-Address(257) l=14 f=-M- val=222.222.222.222 (222.222.222.222)
    AVP: Vendor-Id(266) l=12 f=-M- val=10415
    AVP: Product-Name(269) l=11 f=--- val=HSS
    AVP: Inband-Security-Id(299) l=12 f=-M- val=NO_INBAND_SECURITY (0)
    AVP: Firmware-Revision(267) l=12 f=--- val=1
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP CX/DX (16777216)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=Unknown (16777291)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP S13 (16777252)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP S6a (16777251)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP Zh (16777221)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP Sh (16777217)
Frame 3546 (392 bytes on wire, 392 bytes captured)
    Arrival Time: Apr 15, 2013 15:47:01.423330000
    Frame Number: 3546
    Frame Length: 392 bytes
    [Frame is marked: False]


2) Extreme Exhaustive Info. 
   
                    tshark -R diameter -V 


3) Command to capture PCAP file Log-Rotate.



                                    tshark -b filesize:10240 -a files:1000 -w capture.pcap

                   [It shall stop after writing 1000 files.]


tshark -f sctp port 3868 -i eth0 -b filesize:10240 -b duration:300 -w log.pcap
[It shall capture continuously and shall create new file when file size reaches to 10240 or 300 seconds are passed ]





Your Comments /Suggestions and Questions are always welcome,  shall clarify with best of knowledge. So feel free to put Questions.

13 comments:

  1. tcpdump is another option
    tcpdump -s 0 -i any host \( ip1 or ip2, etc\) -w /filename

    ReplyDelete
  2. Please can you inform me how you set vendor id & auth-application id and also host ip address perfectly ??? It is very argent

    ReplyDelete
    Replies
    1. Hi Shahriar Kamal,

      This blog about capturing the information from Network. Vendor-ID, Application-ID and IP etc are to be set in application. Every software Vendors/Companies have their own way to set configuration details in application.

      Kindly elaborate more, what's exactly your point.

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete
    2. Really kind reply..Normally people just ignore. Good work. This is my first visit to this site.

      Delete
    3. Hi

      Thanks for appreciating our efforts.
      Team-Diameter

      Delete
  3. Hi Team ,

    kindly any body help me to know the use of RATING GROUP in diameter, and why it need to set mandatory ?

    ReplyDelete
    Replies
    1. If you have an online charging system controlling your charging functionality and a PCRF controlling your policy application,then to charge a data session of a user the PCRF responds with Rating Group avp to PGW,which PGW uses to notify the Online charging system.

      Once online charging system receives the CC-R from PGW with rating group,the Online Charging system can do charging based on the Rating Group identifier received in the CCR from PGW

      Delete
  4. Any body can help me out to get PDF of this " Sip: Understanding the Session Initiation Protocol, Fourth Edition 4th ed. Edition
    by Alan B Johnston (Author) "

    ReplyDelete
  5. hi team,

    i have some Doubt..
    (1)what is "COMMAND" & "Application id"??
    (2)if server sends a RAR msg to client. what will be the format for msg. like in message there will be mention that this is "RAR" msg or using corresponding code 258 Decimal.
    (3)How can we use application ID in message format??

    ReplyDelete
  6. in ims registration i-cscf what does send in the uar, to hss, hss what will reply to i-cscf in uaa

    ReplyDelete
    Replies
    1. When you look into Cx-Registration, the I-CSCF looks for the S-CSCF address, for that it ask the scscf address/scscf capabilities from HSS. if HSS have the SCSCF assigned (SUBSQUENT REGISTRATION (UAR after MAR)) for that subscriber, it provides the name, otherwise server capabilities(FIRST REGISTRATION). kindly refer 29.228 for complete details.

      Delete
  7. thanks, your help for more detail about tshark in diameter

    ReplyDelete