This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Diameter PNR/PNA filtered with result code 5003

0

Hello,

I have a difficulty to use MATE plugin to filter diameter.cmd.code==309 && diameter.Result-Code==5003. I would like to get both request (PNR) and the Answer (PNA).

This is the draft that I can think of, but no sure how to modify it to meet my requirement.

// Create a "diam_pdu" that contains various pieces of the processed Diameter
// message.
Pdu diam_pdu Proto diameter Transport ip {
        Extract command_code From diameter.cmd.code;
        Extract app_id From diameter.applicationId;
        Extract session_id From diameter.Session-Id;
        Extract imsi From diameter.User-Name;
        Extract e2eid From diameter.endtoendid;
};

// Then create a GOP (Group Of Pdus) where the each GOP contains all the PDUs // (msgs) that whose command_code, app_id, session_id, and e2eid match. Gop diam_transaction On diam_pdu Match (command_code, app_id, session_id, e2eid) { Start(); Stop(never);

    // Store the IMSI in the GOP
    Extra(imsi);

};

Done;

Please kindly help me to resolve it, thanks!

Alex

asked 02 Dec ‘14, 23:05

Alex%20Lu's gravatar image

Alex Lu
1333
accept rate: 0%

edited 03 Dec ‘14, 06:41

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572


One Answer:

0

To do that you'll need to store the Result-Code in the GOP. So this configuration file:

// Create a "diam_pdu" that contains various pieces of the processed Diameter
// message.
Pdu diam_pdu Proto diameter Transport ip {
        Extract command_code From diameter.cmd.code;
        Extract app_id From diameter.applicationId;
        Extract session_id From diameter.Session-Id;
        Extract e2eid From diameter.endtoendid;
        Extract resultcode From diameter.Result-Code;
};

// Then create a GOP (Group Of Pdus) where the each GOP contains all the PDUs // (msgs) that whose command_code, app_id, session_id, and e2eid match. Gop diam_transaction On diam_pdu Match (command_code, app_id, session_id, e2eid) { Start(); Stop(never);

    // Store the result code in the GOP
    Extra(resultcode);

};

Done;

with a display filter of:

(mate.diam_transaction.command_code == "309") && (mate.diam_transaction.resultcode == "5003")

will show you both the Request(s) and their corresponding Answer(s).

answered 03 Dec ‘14, 06:54

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

edited 09 Jan ‘15, 08:04

Thank you very much, Jeff!

Somehow it is still not working as expected.

Could it be caused by

    Start();
Stop(never);

Thanks again.

(26 Dec ‘14, 20:41) Alex Lu
1

(Sorry, I was offline over the holidays.)

(BTW I converted your Answer to a Comment.)

Are you putting quotes around the command code and resultcode (as shown in the example above)? It wasn’t working for me, either, when I typed in the filter by hand but when I used “prepare as filter” it worked well–and I noticed that “prepare as filter” was putting the quotes in there.

(It is annoying that the quotes must be there; I guess MATE’s fields are all strings? That’s worth of investigation–if I have time <sigh>.)

(09 Jan ‘15, 08:03) JeffMorriss ♦

Works flawless! Thank you Jeff!

(23 Mar ‘15, 22:18) Alex Lu