0

我正在尝试添加所有输入/输出八位字节 AVP 来计算针对每个评级组使用的总数据。问题是,并非所有输入/输出八位字节 AVP 都会出现在每个服务数据容器 AVP 中。在使用带有 Tfields 或 Tjson 选项的 tshark 命令时,输出会丢失原始层次结构,从而无法确定哪个 Octet AVP 与哪个 Rating-Group 相关联。

这是 Rf ACR 数据包的简单快照:

Diameter>  
 Service-Information>   
  PS--Information>    
   Service-Data-Container>
    Accounting-Input-Octets=1000
    Accounting-Output-Octets=2000
    Rating-Group=1111
    ...
    ...    
    Service-Data-Container>    
    Accounting-Output-Octets=7000
    Rating-Group=1111
    ...
    ...    
    Service-Data-Container>
    Accounting-Input-Octets=4000
    Rating-Group=2222
    ...
    ...    
    Service-Data-Container>
    Accounting-Input-Octets=6000
    Accounting-Output-Octets=5000
    Rating-Group=2222
    ...
    ...

在上面的示例中,如果我添加,对于 Rating-Group=1111,总 Accounting-Input-Octets 为 1000,Accounting-Output-Octets 为 9000。同样,对于 Rating-Group=2222,总 Accounting-Input-Octets 为 10000 和会计输出八位字节为 5000。

我使用以下选项运行 tshark:

tshark -r <file.pcap> -Y <diameter_filter> -Tjson  -e diameter.Rating-Group -e diameter.Accounting-Input-Octets -e diameter.Accounting-Output-Octets

[
  {
    "_index": "packets-2019-08-12",
    "_type": "pcap_file",
    "_score": null,
    "_source": {
      "layers": {
        "diameter.Rating-Group": [
          "1111",
          "1111",
          "2222",
          "2222"
        ],
        "diameter.Accounting-Input-Octets": [
          "1000",
          "4000",
          "6000"
        ],
        "diameter.Accounting-Output-Octets": [
          "2000",
          "7000",
          "5000"
        ]
      }
    }
  }
]

如您所见,不可能将八位组与评级组进行聚合。

我正在寻找一个选项,我可以在其中获得更好的数据包层次结构,如下所示:

[
 {
   "Service-Data-Container":
      {
        "Accounting-Input-Octets":1000
        "Accounting-Output-Octets":2000
        "Rating-Group"=1111
      }
 },
 {
   "Service-Data-Container":
      {
        "Accounting-Output-Octets":7000
        "Rating-Group"=1111
      }
 },
 {
   "Service-Data-Container":
      {
        "Accounting-Input-Octets":4000
        "Rating-Group"=2222
      }
 },
 {
   "Service-Data-Container":
      {
        "Accounting-Input-Octets":6000
        "Accounting-Output-Octets":5000
        "Rating-Group"=2222
      }
 }
]
4

2 回答 2

0

我相信您可以-T json通过以下参数消除输出 中的歧义tshark

--no-duplicate-keys
If a key appears multiple times in an object, only write it a single time with as value a json array containing all the separate values. (Only works with -T json)

所以最终命令应该如下所示:

% tshark -r <pcap file>  -Y diameter -Tjson --no-duplicate-keys

                  "diameter.PS-Information_tree": {
                    "diameter.avp": [
                      "00:00:00:02:c0:00:00:10:00:00:28:af:12:11:0e:d1",
                      "00:00:08:02:c0:00:00:10:00:00:28:af:12:11:0e:d1",
                      "00:00:00:03:c0:00:00:10:00:00:28:af:00:00:00:00",
                      "00:00:04:cb:c0:00:00:12:00:00:28:af:00:01:0a:80:04:04:00:00",
                      "00:00:03:f8:c0:00:00:58:00:00:28:af:00:00:04:04:c0:00:00:10:00:00:28:af:00:00:00:09:00:00:04:0a:80:00:00:1c:00:00:28:af:00:00:04:16:80:00:00:10:00:00:28:af:00:00:00:0c:00:00:04:11:80:00:00:10:00:00:28:af:11:e1:a3:00:00:00:04:10:80:00:00:10:00:00:28:af:23:c3:46:00",
                      "00:00:08:03:c0:00:00:10:00:00:28:af:00:00:00:01",
                      "00:00:04:cc:c0:00:00:12:00:00:28:af:00:01:d9:74:60:ca:00:00",
                      "00:00:03:4f:c0:00:00:12:00:00:28:af:00:01:d9:d6:87:62:00:00",
                      "00:00:07:ff:c0:00:00:10:00:00:28:af:00:00:00:02",
                      "00:00:00:08:c0:00:00:11:00:00:28:af:32:34:30:30:31:00:00:00",
                      "00:00:00:0a:c0:00:00:0d:00:00:28:af:35:00:00:00",
                      "00:00:00:0b:c0:00:00:0d:00:00:28:af:ff:00:00:00",
                      "00:00:00:0c:c0:00:00:0d:00:00:28:af:30:00:00:00",
                      "00:00:00:0d:c0:00:00:10:00:00:28:af:30:63:38:30",
                      "00:00:00:12:c0:00:00:11:00:00:28:af:32:36:30:30:33:00:00:00",
                      "00:00:00:17:c0:00:00:0e:00:00:28:af:40:00:00:00",
                      "00:00:00:16:c0:00:00:19:00:00:28:af:82:62:f0:30:e3:21:62:f0:30:04:47:90:0b:00:00:00",
                      "00:00:00:15:c0:00:00:0d:00:00:28:af:06:00:00:00",
                      "00:00:00:1e:40:00:00:17:74:65:73:74:32:34:2e:74:65:6c:69:61:2e:73:65:00",
                      "00:00:07:fa:c0:00:00:10:00:00:28:af:e3:4b:e2:31"
                    ],
                    "diameter.avp_tree": [
                      {
                        "diameter.avp.code": "2",
                        "diameter.avp.flags": "0x000000c0",
                        "diameter.avp.flags_tree": {
                          "diameter.flags.vendorspecific": "1",
                          "diameter.flags.mandatory": "1",
                          "diameter.avp.flags.protected": "0",
                          "diameter.avp.flags.reserved3": "0",
                          "diameter.avp.flags.reserved4": "0",
                          "diameter.avp.flags.reserved5": "0",
                          "diameter.avp.flags.reserved6": "0",
                          "diameter.avp.flags.reserved7": "0"
                        },
                        "diameter.avp.len": "16",
                        "diameter.avp.vendorId": "10415",
                        "diameter.3GPP-Charging-Id": "12:11:0e:d1"
                      },
                      {
                        "diameter.avp.code": "2050",
                        "diameter.avp.flags": "0x000000c0",
                        "diameter.avp.flags_tree": {
                          "diameter.flags.vendorspecific": "1",
                          "diameter.flags.mandatory": "1",
                          "diameter.avp.flags.protected": "0",
                          "diameter.avp.flags.reserved3": "0",
                          "diameter.avp.flags.reserved4": "0",
                          "diameter.avp.flags.reserved5": "0",
                          "diameter.avp.flags.reserved6": "0",
                          "diameter.avp.flags.reserved7": "0"
                        },
                        "diameter.avp.len": "16",
                        "diameter.avp.vendorId": "10415",
                        "diameter.PDN-Connection-Charging-ID": "303107793"
                      },
                      {
                        "diameter.avp.code": "3",
                        "diameter.avp.flags": "0x000000c0",
                        "diameter.avp.flags_tree": {
                          "diameter.flags.vendorspecific": "1",
                          "diameter.flags.mandatory": "1",
                          "diameter.avp.flags.protected": "0",
                          "diameter.avp.flags.reserved3": "0",
                          "diameter.avp.flags.reserved4": "0",
                          "diameter.avp.flags.reserved5": "0",
                          "diameter.avp.flags.reserved6": "0",
                          "diameter.avp.flags.reserved7": "0"
                        },
                        "diameter.avp.len": "16",
                        "diameter.avp.vendorId": "10415",
                        "diameter.3GPP-PDP-Type": "0"
                      },
于 2020-11-21T20:39:05.507 回答
0

我无法发表评论,但是如果您将数据包捕获的链接添加到您的问题中,它会更容易为您提供帮助。

如果无法访问数据包捕获,我会假设tshark -r <file.pcap> -Y <diameter_filter> -Tjson它将包含您需要的所有信息(然后您可以使用 python 解析)。

如果 json 不能满足您的需求,您可能还想查看 pdml/psml 输出,因为它们包含的输出略有不同。

于 2019-09-05T19:11:40.180 回答