I need to stop capturing after a specified number of Diameter messages have been received. I tried using tshark but -c <capture packet count> option is not what I need.
Any idea how I can do that? The solution has to work on Linux.
Thanks!
How about using -a option to specify auto-stop condition?
Instead of Diameter messages you can estimate the capture file size value in KB and specify it as auto-stop condition.
Thank you, Yoda! Autostop condition as implemented by tshark is not an option. The messages can be quite different in size so I can't rely on size. All I'm interested in is the message type (e.g. CER, CEA, CCR, RAR) and how many messages were exchanged. If I could filter out some messages (e.g CER, CEA, DWR, DWA) that would be better.
In fact what I want to achieve is to automate functional testing with Seagull. Because Seagull is only able to send Diameter requests and in my scenario I need to send SOAP requests from time to time I want to run tshark in parallel with the Seagull scenario, count Diameter messages and send a SOAP request when it's time. Any other idea on how to do that would be highly appreciated.
Thanks again!
I checked the tshark manual and unfortunately I don't think there is option to stop capturing upon reaching certain number of messages.
But you can let the capture run for certain period of time and apply filter based on your preference.
Unfortunately filtering offline it's not an option as well. The whole point is to model an ongoing scenario and that has to happen in real time.
As I said I'm open to any solution so I don't need to rely exclusively on tshark. I tried something like this:
tshark -i any | grep DIAMETER | awk 'BEGIN {MESSAGES=0}; /DIAMETER/ {if (MESSAGES<=6) MESSAGES++; else exit;}; END {print MESSAGES}'
but that only stopped awk and not tshark. I think I could do a kill on wireshark PID instead of exiting awk but I don't know how to get tshark PID in this setup.
Thanks!
I changed the approach a little bit. I noticed I don't actually need to kill tshark in order to stop the capture.
I have the following Diameter input:
host:~/work/regression$ sudo script -q -c 'tshark -i any' /dev/null | grep DIAMETER
0.156393 10.0.2.15 -> 10.22.182.20 DIAMETER 236 cmd=Capabilities-ExchangeRequest(257) flags=R--- appl=Diameter Common Messages(0) h2h=0 e2e=0
0.410201 10.22.182.20 -> 10.0.2.15 DIAMETER 332 cmd=Capabilities-ExchangeAnswer(257) flags=---- appl=Diameter Common Messages(0) h2h=0 e2e=0
0.912780 10.0.2.15 -> 10.22.182.20 DIAMETER 408 cmd=Credit-ControlRequest(272) flags=R--- appl=3GPP Gx(16777238) h2h=1a64 e2e=fa0
1.095632 10.22.182.20 -> 10.0.2.15 DIAMETER 276 cmd=Credit-ControlAnswer(272) flags=---- appl=3GPP Gx(16777238) h2h=1a64 e2e=fa0
1.097361 10.0.2.15 -> 10.22.182.20 DIAMETER 312 cmd=Credit-ControlRequest(272) flags=R--- appl=3GPP Gx(16777238) h2h=1a65 e2e=fa1
1.275714 10.22.182.20 -> 10.0.2.15 DIAMETER 204 cmd=Credit-ControlAnswer(272) flags=---- appl=3GPP Gx(16777238) h2h=1a65 e2e=fa1
1.277086 10.0.2.15 -> 10.22.182.20 DIAMETER 312 cmd=Credit-ControlRequest(272) flags=R--- appl=3GPP Gx(16777238) h2h=1a66 e2e=fa2
1.462886 10.22.182.20 -> 10.0.2.15 DIAMETER 204 cmd=Credit-ControlAnswer(272) flags=---- appl=3GPP Gx(16777238) h2h=1a66 e2e=fa2
After the eighth incoming Diameter message I want to run a script:
sudo script -q -c 'tshark -i any' /dev/null | grep DIAMETER | awk 'BEGIN {MESSAGES=0}; /DIAMETER/ {if (MESSAGES<8) {MESSAGES++;print MESSAGES;} else exit;}; END {print MESSAGES}'; ./do_something.sh
The following command seem to work well (meaning it launches do_something.sh) if I replace DIAMETER with HTTP in grep and DIAMETER with GET in awk but for some reason with Diameter traffic it just never stops. If I terminate it with CTRL+C I get the following output that makes me think there's something with the awk script:
host:~/work/regression$ sudo script -q -c 'tshark -i any' /dev/null | grep DIAMETER | awk 'BEGIN {MESSAGES=0}; /DIAMETER/ {if (MESSAGES<8) {MESSAGES++;print MESSAGES;} else exit;}; END {print MESSAGES}'; ./do_something.sh
1
2
3
4
5
6
7
8
8
Any ideas?
Thanks!
---------- Post updated at 06:25 PM ---------- Previous update was at 02:10 AM ----------
I've noticed if I do the following the awk script works fine with Diameter traffic:
sudo script -q -c 'tshark -i any' /dev/null | grep DIAMETER | tee snoop.txt
cat snoop.txt | awk 'BEGIN {MESSAGES=0}; /DIAMETER/ {if (MESSAGES<8) {MESSAGES++;print MESSAGES;} else exit;}; END {print MESSAGES}'; ./do_something.sh