This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark MATE correlation multiple GOPs

0

Hi Experts,

I want to correlate multiple GoPs based on certain attribute from each PDU. How can I build a logic using MATE

scenario (e.g) SIP packet which has media port information H248 packet which also has media port information

I want to group SIP and H248 packet where the media port is of same value

BR, sshark

asked 14 Sep '15, 15:55

sshark's gravatar image

sshark
6669
accept rate: 0%

One Answer:
active answersoldest answersnewest answerspopular answers
1

Do you want to correlate multiple GoPs or create a new GoP which contains the SIP and H248 packets?

If the former then you want to create a Group of Groups. In that example host is what ties the GoPs together (obviously both GoPs would need a host field).

If the latter then, well, just create another GoP.

permanent link

answered 15 Sep '15, 06:49

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

edited 12 Feb '16, 13:01

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

I would be happy if a GoG serves my purpose. Pls refer the attached mate config example. I am having issues or confusion on how to compare two attributes

  1. Within GoG, how can I compare mport of Megaco PDU and mport of SIP PDU (does it match one to one)

  2. When I use this value, for some SIP packets, I get below error in wireshark when I open a capture file Expert Info (Error/Malformed): proto.c:3487: field mate.released_time is not of type FT_FLOAT

    Pdu sip_pdu Proto sip Transport ip {

    Extract user From sip.From;
Extract user From sip.To;
Extract user From sip.P-Asserted-Identity;
Extract user From sip.P-Served-User;
Extract callid From sip.Call-ID;
Extract method From sip.Method;
Extract mport From sdp.media.port;

    };

    Gop sipp On sip_pdu Match (callid) {

    Start(method {"INVITE"|"REGISTER"|"MESSAGE"|"BYE"|"CANCEL"|"PRACK"|"SUBSCRIBE"|"NOTIFY"});
Stop(never);

// Store the user in the GOP
Extra(user,mport);

    };

    Pdu megaco_pdu Proto megaco Transport sctp {

    Extract mgtrans From megaco.transid;
Extract taction From megaco.transaction;
Extract mport From sdp.media.port;

    };

    Gop mco On megaco_pdu Match (mgtrans) {

    Start(taction="Request");
Stop(taction="Reply");
Extra(mport);

    };

    Gog tester {

    Member sipp(user);
Member mco (mport);

Extra(user);

    };

    Done;

(15 Sep '15, 07:16) sshark

(FYI I converted your Answer to a Comment--see the FAQ.)

For (1), yes, you'd need to put mport in both the sipp and mco lines to get MATE to include only GoPs whose mport match. I'm not sure what you mean by "one for one": if the mport is equal then the GoP will be included.

For (2): that's a bug in Wireshark. I submitted a change to have that fixed.

(15 Sep '15, 08:00) JeffMorriss ♦

So, do you think - this should be a valid configuration for my purpose My actual display filter would be - mate.tester.user == xyz to filter all related SIP & H248 packets

Pdu sip_pdu Proto sip Transport ip {

Extract user From sip.From;
Extract user From sip.To;
Extract user From sip.P-Asserted-Identity;
Extract user From sip.P-Served-User;
Extract callid From sip.Call-ID;
Extract method From sip.Method;
Extract mport From sdp.media.port;
};

Gop sipp On sip_pdu Match (callid) {

Start(method {"INVITE"|"REGISTER"|"MESSAGE"|"BYE"|"CANCEL"|"PRACK"|"SUBSCRIBE"|"NOTIFY"});
Stop(never);

// Store the user in the GOP
Extra(user,mport);
};

Pdu megaco_pdu Proto megaco Transport sctp {

Extract mgtrans From megaco.transid;
Extract taction From megaco.transaction;
Extract mport From sdp.media.port;
};

Gop mco On megaco_pdu Match (mgtrans) {

Start(taction="Request");
Stop(taction="Reply");
Extra(mport);
};

Gog tester {

Member sipp(user,mport);
Member mco (mport);

Extra(user);
};

Done;
(18 Sep '15, 01:26) sshark

That looks about right. I'm not sure about the "user" part in this line:

Member sipp(user,mport);

I suspect that might break things but who knows...

(18 Sep '15, 10:48) JeffMorriss ♦

Ok, user is needed as I have to filter the trace based on user and not based on media port.

Above works, except the mate.released_time related error I reported before

One last question - I do have some megaco packets before the initial SIP packet, hence I could not get those megaco packets as I could not match the mport. Is it possible to process PDUs/GoPs in reverse direction or after certain PDUs are processed ?

(19 Sep '15, 05:49) sshark

Ok, user is needed as I have to filter the trace based on user and not based on media port.

Hmm, I thought that would be covered by the "Extra(user)" part rather than the "Member" part. But then again I'm not sure I've ever used a GoG in anger.

Above works, except the mate.released_time related error I reported before

Excellent. If you pick up an automated build then that error will go away (the change was merged).

For your last question: I actually would have thought it would have worked like that today since the mco is matching based on transid not mport. IOW the mco will contain all megaco_pdus with the same transid regardless of the mport value and whether there's been SIP signaling before. Then tester will contain an mco and a sipp.

(21 Sep '15, 17:53) JeffMorriss ♦
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×238
×109
×27
×3

question asked: 14 Sep '15, 15:55

question was seen: 2,194 times

last updated: 12 Feb '16, 13:01

Related questions

Capture and Store voice traffic into a Database

Why is there No RTP, SIP or other VOIP (MagicJack) captured.

Save only filtered SIP\RTP results in a file

VoIP profile

Wireshark 2 missing option to "Try to decode RTP outside of conversation"?

wanted RTP, got UDP (?!)

Can see SIP/SDP; m = audio RTP/AVP but no RTP packets or sessions.

Can 802.11 from AirPcap Be Decoded To SIP/RTP?

MATE display filter for SIP calls

Develop a SIP&RTP display filter

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A