This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark MATE: multiple combined Stop criterion for Gop

0

Hi guys,

didn't do very much with MATE yet, so perhaps I've missed something.
I need to define a Stop criterion with multiple dependencies.
For instance:
Stop if diameter.cmd.code=275 AND diameter.flags.request=0
The goal is to include not only the Session Termination Request but also the Answer within the Gop.
But any MATE example I found did only define a single Stop criterion.
Has such kind of combined criterion been implemented at all? And if so, what's the syntax?
And if not (that's what I'm afraid) could somebody provide an example how to handle such a multiple condition with MATE?

Thanks,
Horst

asked 06 Aug '15, 02:28

Horst's gravatar image

Horst
6112
accept rate: 0%

2 Answers:

1

The way to build complex Start and/or Stop conditions in MATE is Transform. Unfortunately, LEGO has not (yet?) described the new syntax of Transform at the MATE wiki page. I have updated the MATE wiki page with the new syntax of Transform; examples specifically relevant to the subject of this Question follow here.

So if you excuse my close-to-zero knowledge of Diameter, in the MATE configuration file, you would do the following:

First, and maybe surprisingly before you describe the pdu from which you Extract the attributes to which you refer, you describe creation of a new AVP as a result of Match of other AVP(L)s:

Transform stop_cond {
    Match (cmd_code=275, flags_request=0) Insert (my_attr = stop);
};

The way above, the logical relationship between the two AVP matches is and. You could also define a logical or between them as in the following example, which is just an illustrative one, as for these particular attributes it would make little practical sense:

Transform aggregate_stop_cond {
    Match (cmd_code=275) Insert (my_attr = stop);
    Match (flags_request=0) Insert (my_attr = stop);
};

If you eventually need to use other Match mode than the default Strict in the Transform, you have to add the corresponding keyword right after the Match keyword itself, i.e. Match Every or Match Loose.

So you could write the above simple example (logical or between two individual conditions) the following way:

Transform stop_cond {
    Match Loose (cmd_code=275, flags_request=0) Insert (my_attr = stop);
};

Edit: as of current (2.0.1), Loose and Every matches behave different than expected, so the example above would insert the my_attr=stop AVP to all PDUs.

Similarly, you could omit the Insert keyword as it is only used for clarity since it is the default behaviour. The (dangerous) alternative is Replace, causing the whole AVPL you've used as a parameter to the Match to be replaced by the AVPL following the Replace keyword.

Second, you have to "execute" the Transform in the pdu description after the Extract of all attributes to which it refers:

Pdu my_diameter {
    Extract cmd_code From diameter.cmd.code ;
    Extract flags_request From diameter.flags.request ;
    Transform aggregate_stop_cond ;
};

Finally, you use the newly created "composite" AVP to define the stop condition:

Gop diameter_conversation On my_diameter Match (..., ..., ...) {
    ...
    Stop (my_attr=stop);
    ...
};

Note that you may even use a single Transform

  • to create several independent AVPs,

  • to assign different values to the same attribute, each using a different set of Match rules, of course provided that at most one such rule set defining a value can be matched for any given pdu.

Example (of little practical use):

Transform start_stop_cond {
    Match (flags_error=1) Insert (my_error = 1);
    Match (flags_request=1) Insert (my_attr = start);
    Match (flags_request=0) Insert (my_attr = stop);
};



Pdu … {
…
Transform start_stop_cond ;
…
};




Gop … {
…
Start (my_attr=start);
Stop (my_attr=stop);
Extra (my_error);
…
};

answered 20 Feb ‘16, 09:55

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 03 Mar ‘16, 00:59

“Unfortunately, LEGO has not (yet?) described the new syntax of Transform at the MATE wiki page."

Luis likely won’t be updating anything; he’s been quiet for some time now. Hopefully someone will take the time to update all the mate files though. For what it’s worth, I’ve filed a bug report against the obsolete mate files. See Wireshark Bug 12118.

(22 Feb ‘16, 08:17) cmaynard ♦♦

Hey sindy, many thanks for your answer. I’m quite busy at the moment but hopefully I’ll find the time to dig into it.

(02 Mar ‘16, 22:26) Horst

0

Actually I don't think it's really necessary to have this combination in the stop condition. MATE will include the Stop PDU (code=275) in the GOP but it will also include the Answer as being "After stop PDU." At least this shows up in the list of PDUs in the session.

I'm not sure if the fact that it's after the Stop PDU will matter but certainly the PDUs appear to be counted as part of the GOP.

(FWIW I don't think it's possible to actually have a complex stop condition like you listed. But I could always be wrong...)

answered 05 Oct '15, 12:07

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%