1

I am trying to retrieve the Link State ID of a Network-LSA from a captured OSPF LS Update in Wireshark. Wireshark says the variable is ospf.lsa_id, however this gives only the first instance of the ospf.lsa_id which is in the router-lsa part of the packet. How do I specifically access the Network-LSA for its LSID?

I have tried using array access and Wireshark documentation, but some of their variables are off by a single _ or .

Here is a screenshot of what I want to access:

OSPF in wireshark

From testing, it seems that ospf.lsa_id returns the first instance of it (which makes sense) but I want to be able to get all of the LSIDs.

I will probably end up looping through since it seems lsa_id is a list.

Thanks,

natzberg
  • 31
  • 5
  • Could you post an example capture somewhere? – KimiNewt Jun 17 '17 at 10:42
  • Hi Kimi. I will work on getting a screenshot up. In text format: In Wireshark on an OSPF update packet, in the OSPF layer, LS Update Packet, LSA-type 2 (Network-LSA). I would like to be able to access the Link State ID of the network LSA but am having a hard time without using a loop, since there is usually more than one LSA in the OSPF update. – natzberg Jun 19 '17 at 14:29
  • 1
    Try running pyshark in json mode (json=True in the constructor) in an interpreter and then access the field (names might be a bit different, look at the field names at the bottom of wireshark when you highlight them. Also note that fields with subfields will usually be called ). It should show up as a list. You can also see all field names by running pkt.whateverlayer.field_names – KimiNewt Jun 21 '17 at 14:02
  • I got all the fieldnames and did have to loop through the list to get them all. Is there a more efficient way to loop through live captures than "for packet in capture"? I think my program is missing some updates. – natzberg Jun 23 '17 at 16:47
  • It's either that or capture.apply_on_packets(callback_func) – KimiNewt Jun 24 '17 at 10:38

0 Answers0