2

I have a diameter packet capture pcap file (using tcpdump) containing some AVPs. I'd like to parse the pcap file and access/retrieve the AVPs.

I'm using python3.5.1. The dpkt library apparently supports diameter well but it's not yet available for python3. I tried converting it via 2to3-3.5 script but the conversion isn't full-proof and I'm hitting unicode errors while parsing the pcap.

I am trying to use scapy now. I need some help/examples in how to use scapy to:

  1. parse a pcap file
  2. retrieve/parse AVPs from the pcap.

Any help would be appreciated.

Regards Sharad

Sharad
  • 9,282
  • 3
  • 19
  • 36
  • You can read a pcap in scapy with the rdpcap function. You can then parse the packets using one of summary(), show(), or show2() depending on what you need. I am not familiar with a diameter packet but you could take a look at it doing this: `pcap = rdpcap(capture) for p in pcap: p.show()`This would show you how scapy sees it. Hope that helps. – Noob123 Jul 01 '16 at 15:55
  • I'll try and update. Thanks! – Sharad Jul 01 '16 at 16:19
  • If the processing time does not matter for you, you can use pyshark based on tshark). it can decode diameter protocol. – Giac Oct 17 '16 at 05:57
  • `pcap=rdpcap(capture) for p in pcap: p.show()` only gives you `raw` data. – Tiina Oct 21 '18 at 04:39
  • Did you figure the best way for this? I am looking for the same thing. – Patz Aug 15 '19 at 15:55

1 Answers1

0

I would suggest you to use tshark. Using tshark you can convert the pcap files to text files containing the AVPs that you are interested in. Once you have the text file, I believe it would be easy to extract the information using python.

Rajeev Menon
  • 21
  • 3
  • I have checked tshark before but it is not fast enough. but if the processing time does not matter for you (@sharad), you can use pyshark based on tshark). it can decode diameter protocol. – Giac Oct 17 '16 at 05:50
  • Thanks Rajeev, Giac. I'm using pyshark, as of now. – Sharad Oct 18 '16 at 03:12