I want to capture messages of Diameter protocol (over SCTP) by tshark on the screen, expanded.
First, I couldn't find what to write after switch '-f' to filter only diameter messages, but then I found the switch '-R' which accepted 'diameter'.
So, currently my command seems like:
tshark -i el0 -R diameter -V
This is all fine, at least, until the packets are small enough..
However, for bigger packets, I get the error [Unreassembled Packet: DIAMETER]
[Expert Info (Warn/Reassemble): Unreassembled Packet (Exception occurred)]
[Message: Unreassembled Packet (Exception occurred)],
and the packets are indeed not reassembled in the output.
I was googling for solution, and found that the below modification might do the defragmentation:
tshark -i el0 -R diameter -V -o ip.defragment:TRUE
But it just doesn't help.
Any simple solution for this problem? (It is also ok to process the defragmentation afterwards somehow..)
Finally I have found it!
In wireshark there is a checkbox for several protocol related options, in particular, for diameter defragmentation you need to mark the checkbox
Reassemble fragmented SCTP user messages
to get the long diameter messages properly displayed.
Each of these protocol options has its own tshark correspondent parameter, here you have to use
-o sctp.reassembly:TRUE.
(For general, look for the file preferences belonging to wireshark.)
So, what method finally worked is
tshark -i EL0 -f sctp -w raw_capture.pcap
tshark command: tshark -r raw_capture.pcap -R diameter -o sctp.reassembly:TRUE -V