This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Automatically showing replies for DIAMETER protocol, when using display filter

0

When analyzing a large packet capture of DIAMETER traffic, I often filter based on a certain value. Is there any way to automatically show the replies to the packets matching the display filter? Currently I have to select each packet, and then add the frame number to the display filter. It's very tedious.

For example, my display filter will be something like "diameter contains xxxx" where xxxx is actually the IMSI of the user I'm testing with. I then have to click on each packet, and look at the diameter details, and it will say "Reply is in <n>" where "<n>" is the frame number of the response packet. My display filter then becomes "diameter contains xxxx || frame.number == n".

asked 15 Mar '13, 13:17

Mojo's gravatar image

Mojo
11114
accept rate: 0%

edited 15 Mar '13, 13:21


3 Answers:

1

This sounds like a job for MATE. Unfortunately the documentation on that can be... Somewhat painful to wade through.

answered 19 Mar '13, 08:16

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Very cool, I will check it out. I haven't played with plugins much, but how hard could it be? ;-)

(19 Mar '13, 08:20) Mojo

Doesn't look like MATE is being actively maintained. Most of the Wiki pages look like they are at LEAST 5 years old or more.

(19 Mar '13, 09:37) Mojo

Yeah, that's what I meant by the documentation being a problem. It does still work--I used it within the past year or so.

(19 Mar '13, 10:18) JeffMorriss ♦

1

Does it actually say, "Reply is in < n >"? Because I could only find, "Answer In < n >".

Well, assuming that's what you're interested in, you could add 2 custom columns, one for diameter.answer_in, and the other for diameter.answer_to. The easiest way to add those columns is to expand a diameter packet containing the field, then right-click on it, choosing, "Apply as Column".

answered 19 Mar '13, 13:52

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

This is useful, but not QUITE what I was looking for. I guess what I want is to write a display filter, and have it show those packets, and ALSO include the packets referenced in each diameter.answer_in field, as sort of joined query (to mix metaphors and use a database term :) ).

(19 Mar '13, 14:07) Mojo

0

One solution I just discovered on my own is to add the diameter.Session-Id parameter to the display filter. That helps a bunch.

answered 15 Mar '13, 14:23

Mojo's gravatar image

Mojo
11114
accept rate: 0%

yes thats correct, first extract message containing IMSI, i.e display filter for IMSI then extract session-id for this message.

after getting session-id, apply this as a display filter.

either write a simple code, or a unix script will solve the problem.

(04 Apr '14, 08:45) Sanny_D