This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I have a difficulty to use MATE plugin to filter diameter.cmd.code==309 && diameter.Result-Code==5003. I would like to get both request (PNR) and the Answer (PNA).

This is the draft that I can think of, but no sure how to modify it to meet my requirement.

// Create a "diam_pdu" that contains various pieces of the processed Diameter
// message.
Pdu diam_pdu Proto diameter Transport ip {
        Extract command_code From diameter.cmd.code;
        Extract app_id From diameter.applicationId;
        Extract session_id From diameter.Session-Id;
        Extract imsi From diameter.User-Name;
        Extract e2eid From diameter.endtoendid;
};

// Then create a GOP (Group Of Pdus) where the each GOP contains all the PDUs
// (msgs) that whose command_code, app_id, session_id, and e2eid match.
Gop diam_transaction On diam_pdu Match (command_code, app_id, session_id, e2eid) {
        Start();
        Stop(never);

        // Store the IMSI in the GOP
        Extra(imsi);
};

Done;

Please kindly help me to resolve it, thanks!

Alex

asked 02 Dec '14, 23:05

Alex%20Lu's gravatar image

Alex Lu
1333
accept rate: 0%

edited 03 Dec '14, 06:41

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572


To do that you'll need to store the Result-Code in the GOP. So this configuration file:

// Create a "diam_pdu" that contains various pieces of the processed Diameter
// message.
Pdu diam_pdu Proto diameter Transport ip {
        Extract command_code From diameter.cmd.code;
        Extract app_id From diameter.applicationId;
        Extract session_id From diameter.Session-Id;
        Extract e2eid From diameter.endtoendid;
        Extract resultcode From diameter.Result-Code;
};

// Then create a GOP (Group Of Pdus) where the each GOP contains all the PDUs
// (msgs) that whose command_code, app_id, session_id, and e2eid match.
Gop diam_transaction On diam_pdu Match (command_code, app_id, session_id, e2eid) {
        Start();
        Stop(never);

        // Store the result code in the GOP
        Extra(resultcode);
};

Done;

with a display filter of:

(mate.diam_transaction.command_code == "309") && (mate.diam_transaction.resultcode == "5003")

will show you both the Request(s) and their corresponding Answer(s).

permanent link

answered 03 Dec '14, 06:54

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

edited 09 Jan '15, 08:04

Thank you very much, Jeff!

Somehow it is still not working as expected.

Could it be caused by

    Start();
    Stop(never);

Thanks again.

(26 Dec '14, 20:41) Alex Lu
1

(Sorry, I was offline over the holidays.)

(BTW I converted your Answer to a Comment.)

Are you putting quotes around the command code and resultcode (as shown in the example above)? It wasn't working for me, either, when I typed in the filter by hand but when I used "prepare as filter" it worked well--and I noticed that "prepare as filter" was putting the quotes in there.

(It is annoying that the quotes must be there; I guess MATE's fields are all strings? That's worth of investigation--if I have time <sigh>.)

(09 Jan '15, 08:03) JeffMorriss ♦

Works flawless! Thank you Jeff!

(23 Mar '15, 22:18) Alex Lu
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×58
×27

question asked: 02 Dec '14, 23:05

question was seen: 3,022 times

last updated: 24 Mar '15, 06:58

p​o​w​e​r​e​d by O​S​Q​A