Ask Your Question
0

A way to filter AOE requests without responses

asked 2018-09-05 13:46:28 +0000

Vitaly.S. gravatar image

Is there any way to display (filter) only those AOE (ATA over Ethernet) protocol request messages which do not have corresponding responses? I.e., when there are no matching response message with the same value of AOE Tag and response flag set in the Flags field?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-09-05 14:36:15 +0000

grahamb gravatar image

In general this is difficult as filters only operate on a single packet at a time, it's either in or out based on the contents of the packet.

For protocols that include a link to the response in the request, as AOE does with the aoe.response_in field, then you should be able to filter on this. I'm unable to test this (I have no AOE captures) but try !aoe.response && ! aoe.response_in. This first part should select AOE requests, the second part limits to those without the response_in field.

edit flag offensive delete link more

Comments

Another possibility is MATE, now documented in the User Guide too.

cmaynard gravatar imagecmaynard ( 2018-09-05 15:47:44 +0000 )edit

Thanks, the expression "(aoe.response == 0) && !aoe.response_in" seems to work.

Vitaly.S. gravatar imageVitaly.S. ( 2018-09-06 10:15:32 +0000 )edit

Ah yes, the change to the first part of the condition ensures the field is present and not set, this will only in AOE requests. My original version would select all packets that didn't have the aoe.response field which could include a lot of other packets other than AOE requests.

grahamb gravatar imagegrahamb ( 2018-09-06 10:31:34 +0000 )edit

One interesting thing in addition: it seems that Wireshark tries to apply filter and colorization rules to the packet as soon as the log string corresponding to that packet is first presented to the user. This leads to incorrect marking of ALL AOE requests as if they are matched this filter, if "Autoscroll in live capture" checkbox is set, since at the moment when request is being sent, response is not exist (yet). I found a workaround: one can uncheck and then re-check "Colorize packet list" menu item under "View" main menu item. After this Wireshark recalculates coloring rules values to displayed log strings.

Vitaly.S. gravatar imageVitaly.S. ( 2018-09-06 12:59:14 +0000 )edit

This ia a consequence of live capture. When the AOE request is dissected there is no information about the response has it hasn't yet been received so the field can't be added. Your work-around forces a second dissection pass over the packets and now when dissecting the request the info about the response is available. When opening an existing capture file the 2 passes are done automatically, for tshark you have to add the -2 parameter to run the 2nd pass.

You might find also scrolling the packets out of and back into view might redissect them causing the info to be added.

grahamb gravatar imagegrahamb ( 2018-09-06 13:17:53 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-09-05 13:46:28 +0000

Seen: 2,943 times

Last updated: Sep 06 '18