I have a pcap file generated with tcpdump that contains diameter traffic and reading it with Scapy PcapReader. It shows me that each packet has a DiamG layer, so AVPs can be easily extracted.
However, with another diameter pcap file from another server, PcapReader shows me that diameter packets have a Raw layer instead of DiamG, so I cannot access the AVPs.
Both pcaps can be succesfully read using Wireshark to analyze the diameter traffic. The difference between both files is that in the first one, diameter port used is 3868 (which is the standard), so I think that's why PcapReader correctly identifies it. However, in the second file, diameter port is a non-standard number (50XXX), so I get a Raw layer instead of DiamG on each packet. How can I correctly read the diameter information (AVPs, etc) from the second file?
I'm using the following code to read each packet:
with PcapReader(f'{workdir}/data/{file}') as pr:
for p in pr:
x = p[0]
print(x)
With first pcap file I get:
CookedLinux / IP / TCP 10.66.80.210:13201 > 10.83.178.138:3868 PA / DiamG CookedLinux / IP / TCP 10.83.178.138:3868 > 10.66.80.210:13201 PA / DiamG ...
With the second second file (that also contains diameter traffic), I get:
CookedLinux / IP / TCP 10.179.217.91:37196 > 10.179.217.31:50124 PA / Raw CookedLinux / IP / TCP 10.179.217.31:50124 > 10.179.217.91:37196 PA / Raw
Reading the documentation, I found the method pkt.decode_payload_as() that lets you specify the way the payload is decoded. In my case, a wanted to decode a TCP payload as Diameter, that is achieved with the following sentence:
p[TCP].decode_payload_as(DiamG)
where DiamG is the target payload's class.