This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to also filter out responses?

0

Hi All,

!radius.Framed-IP-Address!=x.x.x.x filters out all RADIUS Acct requests (UDP) with Framed-IP-Address AVP = anything but x.x.x.x. How do I also filter out their respective responses (ACK/NAK) that carry no such AVP?

Many thanks in advance,

Dmitriy

asked 19 Sep '14, 13:30

Dmitriy's gravatar image

Dmitriy
216711
accept rate: 0%

edited 19 Sep '14, 15:24

... sorry, if it's a well known question a link to the answer would really help as I didn't come across any.

Many thanks in advance,

Dmitriy

(24 Sep '14, 06:47) Dmitriy

One Answer:

2

You can't really do this kind of thing just with display filters. But you could build a MATE configuration file which effectively copies the Framed-IP-Address into the response message and then filter based on the new (MATE-based) field.

Unfortunately the documentation on the wiki is hopelessly out of date so this may be hard to achieve but it is possible.

answered 20 Oct '14, 06:05

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Hi Jeff,

Thanks for your reply. Sounds like the ACKs that survive such filtering will also have that AVP added? If so I hope there's also a way of removing that AVP from them afterwards, perhaps also using MATE... problem is the traces we collect are an evidence of testing and so altering them except for filtering out unrelated traffic is generally not a very good thing to do (at least altering the contents of individual packets).

Do you think adding something like a special keyword or character into the display filter line to easily tell Wireshark "and their respective responses" could qualify as an enhancement request? I do understand it's unlikely to be a top priority one.

Many thanks,

Dmitriy

(20 Oct '14, 06:28) Dmitriy

Sorry, my answer was confusing.

MATE won't actually modify the messages at all. But it will create "meta" fields which are present on all frames that are in a Group Of Packets (gop). So you wouldn't end up filtering for "radius.Framed-IP-Address" but something more like "mate.MyRadiusThingy.Framed-IP-Address" (I don't have a MATE configuration loaded at the moment so the actual syntax will likely be different).

To make things easier, here's a MATE configuration file I sometimes use with Diameter:

// A Wireshark MATE configuration file to identify Diameter transactions.

// Create a "diam_pdu" that contains various pieces of the processed Diameter // message. Pdu diam_pdu Proto diameter Transport ip { Extract command_code From diameter.cmd.code; Extract app_id From diameter.applicationId; Extract session_id From diameter.Session-Id; Extract imsi From diameter.User-Name; Extract e2eid From diameter.endtoendid; };

// Then create a GOP (Group Of Pdus) where the each GOP contains all the PDUs // (msgs) that whose command_code, app_id, session_id, and e2eid match. Gop diam_transaction On diam_pdu Match (command_code, app_id, session_id, e2eid) { Start(); Stop(never);

    // Store the IMSI in the GOP
    Extra(imsi);

};

Done;

(20 Oct ‘14, 06:46) JeffMorriss ♦

I’ve just tried this one:

Pdu rad_pdu Proto radius Transport ip {
Extract framed_ip_address From radius.Framed-IP-Address;
Extract packet_id From radius.id;

};

Gop rad_transaction On rad_pdu Match (framed_ip_address) { Start(); Stop(never);

Extra(packet_id);

};

Done;

Each packet now has additional MATE level under RADIUS. However when I try filtering using mate.rad_pdu.framed_ip_address==10.0.2.4 or mate.rad_transaction.framed_ip_address==10.0.2.4 I can see no packets at all. If I just apply mate.rad_pdu.framed_ip_address or mate.rad_transaction.framed_ip_address see all requests (any IP) but no responses. Is it correct behaviour?

My Wireshark is Version 1.12.2rc0-32-gce0e169 (v1.12.2rc0-32-gce0e169 from master-1.12).

(20 Oct ‘14, 10:46) Dmitriy

OK, it’s getting better: seems like all MATE values must be in quotes, e.g. this one works: mate.rad_pdu.framed_ip_address==“10.0.2.4” and so does this one: “mate.rad_transaction.framed_ip_address==“10.0.2.4”. Still they only allow requests carrying that IP and not their respective ACKs. If however I try filtering on packet_id that is present in both requests and ACKs it effectively becomes a manual operation while the goal is to make it automatically filter all packets with packet_id value pertaining to a call with a desired IP address.

(20 Oct ‘14, 16:17) Dmitriy

I see a couple problems, hopefully fixing these will get it working.

1) You don’t want the Gop to match on framed_ip_address: the problem you’re trying to solve is that the responses don’t have that AVP so with that match you’ll never build a Gop that includes a response. I don’t know Radius but I’m guessing packet_id is what allows you to match the response to the request. So: you want to match the packet_id.

2) Then, to actually copy the framed_ip_address into the Gop you want Extra(framed_ip_address) in the Gop definition.

(21 Oct ‘14, 00:54) JeffMorriss ♦

After swapping around framed_ip_address and packet_id in rad_transaction it works a treat: as you said IP address can now be found in MATE layer of both requests and responses indeed, so display filter line “!mate.rad_transaction.framed_ip_address!=“10.0.2.4"” filters out everything but requests and responses for that IP. It even handles PoD (Disconnect requests and ACK) messages properly whenever they’re present.

Perfect - thank you so much! It’s a shame to learn about so powerful tools after so much time wasted doing the same manually… still better late than never )

(21 Oct ‘14, 03:22) Dmitriy

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(21 Oct ‘14, 04:00) grahamb ♦

Sure - done.

(21 Oct ‘14, 05:55) Dmitriy
showing 5 of 8 show 3 more comments