This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How would I write a filter to capture specific request operations and their replies?

0

Hi all - I'm trying to write a display filter that will filter certain specific operations and only their responses - is this possible?

for example the current filter is:

((giop.request_op == "reportStatus") || (giop.request_op == "getStatus")|| (giop.request_op == "newChanges")) || giop.exceptionid

Is there any way to include only the responses to these requests? In the case of the exception, I'd love it to throw the request that caused the exception, but I realise this would be potentially difficult. I'm really just trying to come up with the whole transactions without manually having to filter out all the unrelated responses. Thanks Scott

asked 07 May '12, 15:10

Scott%20Harman's gravatar image

Scott Harman
46131319
accept rate: 50%

One Answer:

1

Have a look at http://wiki.wireshark.org/MATE

answered 07 May '12, 15:58

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

1

Hi SYN-bit... I've finally gotten around to actually doing this... it's not elegant but it works really well

Pdu giop_pdu Proto giop Transport tcp/ip {
        Extract giop_addr From ip.addr;
        Extract giop_port From tcp.port;
        Extract giop_type From giop.type;
        Extract giop_request_id From giop.request_id;
        Extract giop_request_op From giop.request_op;
};

Gop giop_req On giop_pdu Match (giop_addr, giop_addr, giop_port, giop_port,giop_request_id) {
Start (giop_type = 0);
Stop (giop_type = 1);
Extra (giop_request_op);
};


Gog giop_session {
Member giop_req(giop_addr, giop_addr, giop_port, giop_port,giop_request_id );
Extra (giop_request_op);
};

Now, I can capture all the transactions by filtering just on ‘mate’ which works perfectly! Equally - the display filter

mate.giop_session.giop_request_op contains "Placeholder"

Gives me all my Placeholder transactions and I can easily see the relationships

(10 Apr ‘13, 21:31) Scott Harman

Hi Scott, thank you for updating this question with your MATE code for others to learn from. I’m glad it worked out for you this way.

PS I converted your “answer” to a “comment” as that is how this site works best, please see the FAQ.

(11 Apr ‘13, 02:56) SYN-bit ♦♦

Thanks very much - I can never work out which way to respond ;) I’m stoked that it works as well as it does - and now understand why you need to craft your own filters, as it takes a human brain to understand the relationships in the transactions.

(11 Apr ‘13, 13:49) Scott Harman