The lishark Script

The lishark script decodes Lawful Interception HI records in a live capture or stored in pcaps. It has a GUI or it can be run from command line.

Requirements

The lishark script requires a local version of tshark. See the installation section for more information.

Basic Command Line Usage For Network Captures

Simply run with a the name of an interface to start a live capture:

lishark -i eth0

Or all interfaces:

lidecode -i any

Or a pcap file:

lidecode hi2.pcap

You can specify multiple files:

lidecode hi1.pcap hi1_2.pcap hi1_3.pcap

Use wildcards to decode all matching files:

lidecode *.pcap

If the data is transferred over ftp, use the –ftp option:

lishark hi2_over_ftp.pcap --ftp

Or for tpkt::

lishark hi2_over_tpkt.pcap --tpkt

The GUI Application

Running the lishark script without any arguments launches the lishark GUI. Note that it is currently not possible to launch live captures from the GUI, so it can only be used for decoding from existing PCAP files.

lishark

As with the CLI, multiple files can be selected and wildcards can be used to match multiple PCAPs.

Filters

The lishark script supports many different ways of filtering. They are listed in this section in order of performance (capture filter fastest, then display filter, the attribute level filtering)

For live captures only, you can apply a capture filter with the -f option:

lishark -i any -f "port 4000"

For more information on capture filters, see https://wiki.wireshark.org/CaptureFilters.

All of the following work with both live captures and pcap files, and are available to be selected in the GUI:

You can apply a display filter with the -Y option:

lishark -i any -Y "tcp.port==4000"

For more information on display filters see https://wiki.wireshark.org/DisplayFilters.

The lishark script also support a special kind of display filter for searching within the packet data. For example, to filter by packets containing the liid use the -z option:

lishark hi2.pcap -z 1234568

The above -z option works for fields encoded as a string. For data encoded as integer use the -Z option. For example, to filter based on the CIN:

lishark hi2.pcap -Z 1234568

As with the lidecode script you can also apply attribute level filters with the -F option. The filter format is “attribute operator value”:

lishark hi2.pcap -F "liid = 12345678"
lishark hi2.pcap -F "sequence_number < 10"

There must be spaces around the operator and all options must come after the filenames.

TLS

To decode from a packet which was encrypted with TLS, you need to consult the LI application developers on how to write the TLS keys to a key log file. Most LI applications will not support this for security reasons.

If the file is available provide it with the -t option to allow the TLS to be decrypted:

lishark hi2_tls.pcap -t tls_keylogfile.txt

Additional options

The following options match those in the lidecode script. Check the lidecode script documentation for more information:

-F: Filter by attributes
-I: Interface standard
-r: Print as rows
-a: Print as attributes
-k: Decryption key for ETSI TS 102-232 1 Encryption Containers

If no interface standard is specified, the script all auto detect the interface from the first packet found. This will cause errors if the capture contains more than one standard. In that case, it is required to specify the standard to use.

To print out the header for each packet containing decoded data use the -P option:

lishark -P hi2.pcap
Packet Number: 10 captured at 2020-03-10 12:47:29.487585; TCP Stream 1; src: 192.168.56.4:40450 dst: 192.168.56.1:3810
pSHeader:
  authorizationCountryCode: --
  communicationIdentifier:
    deliveryCountryCode: US
    networkIdentifier:
      operatorIdentifier: '-'
  lawfulInterceptionIdentifier: '-'
  li-psDomainId: [0, 4, 0, 2, 2, 5, 1, 14]
  sequenceNumber: 0
  timeStamp: ['2020', '03', '10', '12', '47', '29', '487', Z]
  timeStampQualifier: timeOfMediation
payload:
- tRIPayload
- [keep-alive, 0]

Use the -c option to restrict the number of packets which will be searched for records, useful for large captures:

lishark hi2.pcap -c10

To automatically stop a live capture after a certain number of seconds, use the -d option:

lishark -i any -d10

Help for lishark script

Use the -h option to get the full list of command line options:

lishark -h

Or -e to see some examples usages:

lishark -e