Hi team - I'm trying to work out what's changed in Wireshark between version 2 and 2.6 with regard to MATE
Previously I was successfully matching sessions and PDUs based on the following - but now a new PDU is being created for every messagemessage
refined question yesterday, with updated MATE filter
Hi team - I've finally gotten around to looking at my MATE dissector issues in 2.6 code
I have worked out a MATE dissector which works(ish) but I'm able to match only on the request_id
Pdu giop_pdu Proto giop Transport tcp/ip {
Extract giop_addr From ip.addr;
Extract giop_port From tcp.port;
Extract giop_request_id From giop.request_id;
Extract giop_request_op From giop-q_quentin.Request_Operation;
Extract giop_type From giop.type;
Extract giop_request_id From giop.request_id;
Extract giop_request_op From giop.request_op;
};
Gop giop_req On giop_pdu Match (giop_addr, giop_addr, giop_port, giop_port,giop_request_id) (giop_request_id) {
Start (giop_type = 0);
(giop_type=0);
Stop (giop_type = 1);
Extra (giop_request_op);
(giop_type=1);
};
Gog giop_session {
Member giop_req(giop_addr, giop_addr, giop_port, giop_port,giop_request_id );
Extra (giop_request_op);
};
Done;
Only about 3% of all the GIOP packets in my test capture have a value stored for the extracted field giop_addr
I could use the regular ip.src or ip.addr values, but I'd really like to know why - in many (if not most) cases it's only one half of the conversation that has the giop_addr and giop_port fields populated.
It does appear to have changed since 2.2, and that could be why my previously working MATE dissector is now broken.
Sample file: https://www.dropbox.com/s/fg015gu4wlgyhlk/giop_filtered.pcapng.gz?dl=0
New dissector: https://www.dropbox.com/s/7s47datxxtqgr2t/quantel.mate?dl=0
Old dissector: https://www.dropbox.com/s/brvfq2wilm0fkzi/old_quantel.mate?dl=0
Now, I'm getting the PDU displayed, but I'm not able to filter on the request/reply
https://i.imgur.com/XVR06dR.png (image linked separately so it's easier to view)
I'm sure I'm missing something obvious, but I can't work out the syntax to ensure that I'm matching the right object in the reply
solved by Sindy below
Linked question that I asked yesterday after drilling down into it:
https://ask.wireshark.org/question/5499/mate-protocol-weirdness/
And the bug raised yesterday: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15208