I have a network of machines all participating in a publish/subscribe environment using NDDS. My goal is to generate a list of all Topics and associated Messages. In addition, that list will include the publishers and subscribers of said messages.
NDDS, according to Wireshark parsing, equates to RTPS2 packets, and Wireshark has no problem parsing out the packets into awe-inspiring hierarchies. As there is specific data I want, I'd like to shortcut this and display only specific attributes of said messages.
I've decided to try to use MATE to grab just the information I need. I found the display reference guide for RTPS2 and created the PDU described below. Though I get no errors when Wireshark loads the MATE config file, very few rtps2 attributes are actually showing up. The attributes that are purely alphabetical (e.g. a, b, c, aa...an, etc.) do not show up. Those with full words do.
Is there some piece staring me in the face that I don't see?
Pdu rtps2_pdu Proto rtps2 Transport ip {
Extract source_address From ip.src;
Extract a From rtps2.appId;
Extract b From rtps2.counter;
Extract domain From rtps2.domain_id;
Extract c From rtps2.guidPrefix;
Extract d From rtps2.hostId;
Extract e From rtps2.param.contentFilterName;
Extract f From rtps2.param.entityName;
Extract g From rtps2.param.filterName;
Extract h From rtps2.param.groupData;
Extract i From rtps2.param.id;
Extract j From rtps2.param.length;
Extract k From rtps2.param.ntpTime;
Extract l From rtps2.param.ntpTime.fraction;
Extract m From rtps2.param.ntpTime.sec;
Extract n From rtps2.param.relatedTopicName;
Extract o From rtps2.param.statusInfo;
Extract p From rtps2.param.strength;
Extract q From rtps2.param.topicData;
Extract r From rtps2.param.topicName;
Extract s From rtps2.param.typeName;
Extract t From rtps2.param.userData;
Extract participantId From rtps2.participant_idx;
Extract u From rtps2.serializedData;
Extract v From rtps2.sm.entityId;
Extract w From rtps2.sm.entityId.entityKey;
Extract x From rtps2.sm.entityId.entityKind;
Extract y From rtps2.sm.flags;
Extract z From rtps2.sm.guidPrefix;
Extract aa From rtps2.sm.guidPrefix.appId;
Extract ab From rtps2.sm.guidPrefix.appId.appKind;
Extract ac From rtps2.sm.guidPrefix.appId.instanceId;
Extract ad From rtps2.sm.guidPrefix.counter;
Extract ae From rtps2.sm.guidPrefix.hostId;
Extract af From rtps2.sm.id;
Extract ag From rtps2.sm.octetsToNextHeader;
Extract ah From rtps2.sm.rdEntityId;
Extract ai From rtps2.sm.rdEntityId.entityKey;
Extract aj From rtps2.sm.rdEntityId.entityKind;
Extract ak From rtps2.sm.seqNumber;
Extract al From rtps2.sm.wrEntityId;
Extract am From rtps2.sm.wrEntityId.entityKey;
Extract an From rtps2.sm.wrEntityId.entityKind;
Extract traffic_nature From rtps2.traffic_nature;
Extract vendorId From rtps2.vendorId;
Extract version From rtps2.version;
Extract version_major From rtps2.version.major;
Extract verson_minor From rtps2.version.minor;
};
Done;
asked 15 Feb ‘12, 14:36
pgcordell
0●1●1●1
accept rate: 0%
edited 16 Feb ‘12, 08:34
multipleinte…
1.3k●15●23●40
Do you mean that the “name” you give a Pdu affects whether you get the field extract or not? For example in this case:
Extract a From rtps2.appId;
“a” does not work because “a” is too short? In other words, it would/does work if you change “a” to “aaaaaa” or something longer?
No, I haven’t seen any effect of changing the “name” portion of an Extract. I get the same result from the following lines:
Extract a From rtps2.appId; or Extract a1 From rtps2.appId; or Extract aa From rtps2.appId; or Extract myAppID From rtps2.appId;One thing I’m wondering is if I need to define anything else? If I intentionally screw up references to an rtps2 field, I get an error. If I do it correctly, I get no error but I also get no data.
For example, according to the link, there exists a reference to “rtps2.param.topicName”. If I use the following line:
Extract topicName From rtps2.param.topicName;I get no error, but the myTopicName doesn’t show up the PDU display either. If instead I intentionally use the wrong reference and leave out the “param”:
Extract myTopicName From rtps2.topicName;I get the following error:
“MATE Error: cannot find field for attribute myTopicName”
So… I know that the field exists and that I’m referring to it correctly. But I still get no data.
Stupid question: are you sure the frames you’re looking at have the fields you’re looking for? E.g., if you filter for “rtps2.appId” you get the frame? What happens if you add the filter item as a “custom column”? Does the value you’re looking for show up there?
If the fields are really there then I’d suggest opening a bug with a sample script and capture file.
I’m going to guess that it’s the same bug affecting mgcp.
The bug affecting mgcp seems to me as if related to the mgcp dissector, because MATE debug says, in case of mgcp, that the mgcp part of the packet ranges from octet 42 to octet 42.
I’ll open a bug on that in a while, but I first wanted to check whether these two issues could really be related. However, extraction of another field (
rtsp.vendorId) from rtsp went smoothly, and I don’t have any capture where any packet would contain thertsp.param.topicNamefield.@pgcordell, do you happen to still have one four years after?