Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2018-08-08 03:08:40 +0000

Scott Harman gravatar image

Updating MATE config

Hi team - I'm trying to work out what's changed in Wireshark between version 2 and 2.6 with regard to MATE

Previously I was successfully matching sessions and PDUs based on the following - but now a new PDU is being created for every message

Pdu giop_pdu Proto giop Transport tcp/ip {
    Extract giop_addr From ip.addr;
    Extract giop_port From tcp.port;
    Extract giop_type From giop.type;
    Extract giop_request_id From giop.request_id;
    Extract giop_request_op From giop.request_op;
};

Gop giop_req On giop_pdu Match (giop_addr, giop_addr, giop_port, giop_port,giop_request_id) {
        Start (giop_type = 0);
        Stop (giop_type = 1);
        Extra (giop_request_op);
};

Gog giop_session {
    Member giop_req(giop_addr, giop_addr, giop_port, giop_port,giop_request_id );
    Extra (giop_request_op);
};

Now, I'm getting the PDU displayed, but I'm not able to filter on the request/reply Capture example

I'm sure I'm missing something obvious, but I can't work out the syntax to ensure that I'm matching the right object in the reply

Updating MATE config

Hi team - I'm trying to work out what's changed in Wireshark between version 2 and 2.6 with regard to MATE

Previously I was successfully matching sessions and PDUs based on the following - but now a new PDU is being created for every message

Pdu giop_pdu Proto giop Transport tcp/ip {
    Extract giop_addr From ip.addr;
    Extract giop_port From tcp.port;
    Extract giop_type From giop.type;
    Extract giop_request_id From giop.request_id;
    Extract giop_request_op From giop.request_op;
};

Gop giop_req On giop_pdu Match (giop_addr, giop_addr, giop_port, giop_port,giop_request_id) {
        Start (giop_type = 0);
        Stop (giop_type = 1);
        Extra (giop_request_op);
};

Gog giop_session {
    Member giop_req(giop_addr, giop_addr, giop_port, giop_port,giop_request_id );
    Extra (giop_request_op);
};

Now, I'm getting the PDU displayed, but I'm not able to filter on the request/reply Capture example

https://i.imgur.com/XVR06dR.png (image linked separately so it's easier to view)

I'm sure I'm missing something obvious, but I can't work out the syntax to ensure that I'm matching the right object in the reply

Updating MATE config

Hi team - I'm trying to work out what's changed in Wireshark between version 2 and 2.6 with regard to MATE

Previously I was successfully matching sessions and PDUs based on the following - but now a new PDU is being created for every message

Pdu giop_pdu Proto giop Transport tcp/ip {
    Extract giop_addr From ip.addr;
    Extract giop_port From tcp.port;
    Extract giop_type From giop.type;
    Extract giop_request_id From giop.request_id;
    Extract giop_request_op From giop.request_op;
};

Gop giop_req On giop_pdu Match (giop_addr, giop_addr, giop_port, giop_port,giop_request_id) {
        Start (giop_type = 0);
        Stop (giop_type = 1);
        Extra (giop_request_op);
};

Gog giop_session {
    Member giop_req(giop_addr, giop_addr, giop_port, giop_port,giop_request_id );
    Extra (giop_request_op);
};

Now, I'm getting the PDU displayed, but I'm not able to filter on the request/reply Capture example

https://i.imgur.com/XVR06dR.png (image linked separately so it's easier to view)

I'm sure I'm missing something obvious, but I can't work out the syntax to ensure that I'm matching the right object in the reply

solved by Sindy below Linked question that I asked yesterday after drilling down into it: https://ask.wireshark.org/question/5499/mate-protocol-weirdness/

And the bug raised yesterday: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15208

Updating MATE config

Hi team - I'm trying to work out what's changed in Wireshark between version 2 and 2.6 with regard to MATE

Previously I was successfully matching sessions and PDUs based on the following - but now a new PDU is being created for every messagemessage refined question yesterday, with updated MATE filter

Hi team - I've finally gotten around to looking at my MATE dissector issues in 2.6 code

I have worked out a MATE dissector which works(ish) but I'm able to match only on the request_id

Pdu giop_pdu Proto giop Transport tcp/ip {
     Extract giop_addr From ip.addr;
     Extract giop_port From tcp.port;
        Extract giop_request_id From giop.request_id;
        Extract giop_request_op From giop-q_quentin.Request_Operation;
        Extract giop_type From giop.type;
    Extract giop_request_id From giop.request_id;
    Extract giop_request_op From giop.request_op;
};

Gop giop_req On giop_pdu Match (giop_addr, giop_addr, giop_port, giop_port,giop_request_id) (giop_request_id) {
        Start (giop_type = 0);
(giop_type=0);
        Stop (giop_type = 1);
        Extra (giop_request_op);
(giop_type=1);

};

Gog giop_session {
    Member giop_req(giop_addr, giop_addr, giop_port, giop_port,giop_request_id );
    Extra (giop_request_op);
};
Done;

Only about 3% of all the GIOP packets in my test capture have a value stored for the extracted field giop_addr

I could use the regular ip.src or ip.addr values, but I'd really like to know why - in many (if not most) cases it's only one half of the conversation that has the giop_addr and giop_port fields populated.

It does appear to have changed since 2.2, and that could be why my previously working MATE dissector is now broken.

Sample file: https://www.dropbox.com/s/fg015gu4wlgyhlk/giop_filtered.pcapng.gz?dl=0

New dissector: https://www.dropbox.com/s/7s47datxxtqgr2t/quantel.mate?dl=0

Old dissector: https://www.dropbox.com/s/brvfq2wilm0fkzi/old_quantel.mate?dl=0

Now, I'm getting the PDU displayed, but I'm not able to filter on the request/reply Capture example

https://i.imgur.com/XVR06dR.png (image linked separately so it's easier to view)

I'm sure I'm missing something obvious, but I can't work out the syntax to ensure that I'm matching the right object in the reply

solved by Sindy below

Linked question that I asked yesterday after drilling down into it: https://ask.wireshark.org/question/5499/mate-protocol-weirdness/

And the bug raised yesterday: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15208

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2