This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark MATE - AVPL Merge

0

Hi,

I’m trying to analyze (combine) RADIUS traffic (and eventually other traffic) using Wireshark MATE plugin.

What I would like to do is to Merge MATE Pdu attributes in case radius.id is the same for two different RADIUS packages. Main reason for this Merge is to have radius.State copied in MATE Pdu for first Access-Request and Access-Accept (Access-Reject) packages (radius.State is not in first and last message of the RADIUS session). After that I would be able to use MATE Pdu radius.State in MATE Gop definition and I would have all RADIUS messages related to one session inside one MATE Gop.

So in short I’m trying to check if MATE Pdu Merge function is available or not and syntax if it is available. Or if similar function can be achieved using available functions e.g. MATE Transform function. AVPL Merge is mentioned in MATE wiki on http://wiki.wireshark.org/Mate/Reference#Merge

I was also checking MATE source code on https://github.com/avsej/wireshark/blob/master/plugins/mate/ but I’m not expert in C.

From RFC 2865: 5.24. State This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.

asked 16 Apr '14, 05:14

Danijel's gravatar image

Danijel
16114
accept rate: 0%

One Answer:

2

I'm pretty sure (though I'm far from an expert in MATE) that you can't merge Pdus. You can merge AVPLs (as the wiki says) but only in Gops or Gogs. So what you should probably do is create a Gop which has all the values you want and then, if needed, create a Gog for the session.

BTW the right place to look at Wireshark's source code is on code.wireshark.org.

answered 16 Apr '14, 10:03

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Hi,
Thanks for pointing out that correct source code address for MATE is https://code.wireshark.org/review/gitweb?p=wireshark.git;a=tree;f=plugins/mate
By looking at this MATE source code (mate_grammar.lemon and mate_parser.l) I'm still not able to find "Merge" keyword.

Do you know what would be syntax for merging AVPLs in Gops or Gogs?

I think that Merge function for Pdus would be great (if it doesn't already exist :-)). It would increase MATE usability in so many ways.

(17 Apr '14, 01:01) Danijel

Ah, OK, getting parameters from a Pdu to a Gop isn't done with a "merge" keyword, it's done with the "Extra" key word. Here's an example (look for the "Extra" line with comment):

// A Wireshark MATE configuration file to identify Diameter transactions.

// Create a "diam_pdu" that contains various pieces of the processed Diameter
// message.
Pdu diam_pdu Proto diameter Transport ip {
Extract command_code From diameter.cmd.code;
Extract app_id From diameter.applicationId;
Extract session_id From diameter.Session-Id;
Extract imsi From diameter.User-Name;
Extract e2eid From diameter.endtoendid;
};


// Then create a GOP (Group Of Pdus) where the each GOP contains all the PDUs
// (msgs) that whose command_code, app_id, session_id, and e2eid match.
Gop diam_transaction On diam_pdu Match (command_code, app_id, session_id, e2eid) {
Start();
Stop(never);


    // Store the IMSI in the GOP
    Extra(imsi);



};


Done;
(17 Apr ‘14, 06:42) JeffMorriss ♦

Thanks.
This explains a lot.
I will check if I can contribute with MATE wiki update.
BR

(17 Apr ‘14, 06:58) Danijel