Capture Diameter Messages without wire-shark.

There are various utilities available on Linux server, but here we are discussing the command that shall give you an exhaustive information for each AVP.

Kindly check tshark is installed. 
[If any other utility is better than tshark,Do share, your suggestions are warmly welcome]

1) tshark -R diameter -V | grep 'Frame\|Arrival Time:\|Internet Protocol Version\|Src Port:\|Diameter Protocol\|Request:\|Command Code:\|AVP:\|Result-Code'


OutPut:

Frame 3534 (268 bytes on wire, 268 bytes captured)
    Arrival Time: Apr 15, 2013 15:47:01.412548000
    Frame Number: 3534
    Frame Length: 268 bytes
    [Frame is marked: False]
Transmission Control Protocol, Src Port: 38275 (38275), Dst Port: avocent-adsap (3871), Seq: 1, Ack: 1, Len: 200
Diameter Protocol
        1... .... = Request: Set
    Command Code: 257 Capabilities-Exchange
    AVP: Origin-Host(264) l=19 f=-M- val=101.134.771.143
    AVP: Origin-Realm(296) l=26 f=-M- val=abc123.ABC.org
    AVP: Host-IP-Address(257) l=14 f=-M- val=101.134.771.143 (101.134.771.143)
    AVP: Vendor-Id(266) l=12 f=-M- val=11
    AVP: Product-Name(269) l=23 f=--- val= Cx Interface
    AVP: Origin-State-Id(278) l=12 f=-M- val=1094807040
    AVP: Supported-Vendor-Id(265) l=12 f=-M- val=10415
    AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP CX/DX (16777216)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=11
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP CX/DX (16777216)
    AVP: Firmware-Revision(267) l=12 f=--- val=1
Frame 3543 (408 bytes on wire, 408 bytes captured)
    Arrival Time: Apr 15, 2013 15:47:01.418472000
    Frame Number: 3543
    Frame Length: 408 bytes
    [Frame is marked: False]
Transmission Control Protocol, Src Port: avocent-adsap (3871), Dst Port: 38275 (38275), Seq: 1, Ack: 201, Len: 340
Diameter Protocol
        0... .... = Request: Not set
    Command Code: 257 Capabilities-Exchange
    AVP: Origin-Host(264) l=28 f=-M- val=abc.xyz.com
    AVP: Origin-Realm(296) l=23 f=-M- val=xyz.com
    AVP: Result-Code(268) l=12 f=-M- val=DIAMETER_SUCCESS (2001)
        AVP Code: 268 Result-Code
        Result-Code: DIAMETER_SUCCESS (2001)
    AVP: Host-IP-Address(257) l=14 f=-M- val=222.222.222.222 (222.222.222.222)
    AVP: Vendor-Id(266) l=12 f=-M- val=10415
    AVP: Product-Name(269) l=11 f=--- val=HSS
    AVP: Inband-Security-Id(299) l=12 f=-M- val=NO_INBAND_SECURITY (0)
    AVP: Firmware-Revision(267) l=12 f=--- val=1
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP CX/DX (16777216)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=Unknown (16777291)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP S13 (16777252)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP S6a (16777251)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP Zh (16777221)
    AVP: Vendor-Specific-Application-Id(260) l=32 f=-M-
            AVP: Vendor-Id(266) l=12 f=-M- val=10415
            AVP: Auth-Application-Id(258) l=12 f=-M- val=3GPP Sh (16777217)
Frame 3546 (392 bytes on wire, 392 bytes captured)
    Arrival Time: Apr 15, 2013 15:47:01.423330000
    Frame Number: 3546
    Frame Length: 392 bytes
    [Frame is marked: False]


2) Extreme Exhaustive Info. 
   
                    tshark -R diameter -V 


3) Command to capture PCAP file Log-Rotate.



                                    tshark -b filesize:10240 -a files:1000 -w capture.pcap

                   [It shall stop after writing 1000 files.]


tshark -f sctp port 3868 -i eth0 -b filesize:10240 -b duration:300 -w log.pcap
[It shall capture continuously and shall create new file when file size reaches to 10240 or 300 seconds are passed ]





Your Comments /Suggestions and Questions are always welcome,  shall clarify with best of knowledge. So feel free to put Questions.

8 comments:

  1. tcpdump is another option
    tcpdump -s 0 -i any host \( ip1 or ip2, etc\) -w /filename

    ReplyDelete
  2. Please can you inform me how you set vendor id & auth-application id and also host ip address perfectly ??? It is very argent

    ReplyDelete
    Replies
    1. Hi Shahriar Kamal,

      This blog about capturing the information from Network. Vendor-ID, Application-ID and IP etc are to be set in application. Every software Vendors/Companies have their own way to set configuration details in application.

      Kindly elaborate more, what's exactly your point.

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete
    2. Really kind reply..Normally people just ignore. Good work. This is my first visit to this site.

      Delete
    3. Hi

      Thanks for appreciating our efforts.
      Team-Diameter

      Delete
  3. Hi Team ,

    kindly any body help me to know the use of RATING GROUP in diameter, and why it need to set mandatory ?

    ReplyDelete
  4. Any body can help me out to get PDF of this " Sip: Understanding the Session Initiation Protocol, Fourth Edition 4th ed. Edition
    by Alan B Johnston (Author) "

    ReplyDelete