This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Mate with TShark on Wireshark 2.0

0

Hi all, I've recently upgraded to Wireshark 2, and MATE is no longer behaving as expected with tshark When it does work, it only returns the replies, not the requests.

Is this a known bug, or do I have to do something different. I've tried using both two-pass and single pass filters, and I'm trying to return all GIOP traffic which has got a duration of greater than 1 second - which works fine in the GUI.

I'm updating my question with some more data:

Hi guys The mate file is here: https://gist.github.com/scottharman/9419ce2cc4657295f6e0

And I've uploaded a copy of the capture file, and the example based on captures of over a second are here: alt text

I've uploaded a sample capture with 2 queries taking over a second for illustration purposes on dropbox: Dropbox Link

It's possible the batch file is now wrong, but I don't think so - the batch file I typically use is in the Gist as well.

asked 25 Nov '15, 17:30

Scott%20Harman's gravatar image

Scott Harman
46131319
accept rate: 50%

edited 26 Nov '15, 14:39

tshark and Wireshark use the same dissection engine and plugins, so should perform the same in this respect.

You may have to post a sample capture and mate code to let folks assist you any further.

(26 Nov '15, 01:18) grahamb ♦

One Answer:

0

It seems to work if you use -Y instead of -R and drop -2.

answered 12 Feb '16, 08:10

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

1

@cmaynard, I am afraid your suggestion to use -Y <expression> instead of -2 -R <expression> only improves the situation, but does not fully solve it (leaving aside that I would still use -2 -Y <expression> as I understand the meaning of -R to be different from that of -Y).

To see what I mean (and what @Scott Harman most probably also had in mind), please run (with the mate file from the Question loaded):

tshark -r wiresharkgiop.pcapng -Y giop -T fields -e giop.type -e mate.giop_req.StartTime -e mate.giop_req.Time

You'll see that for the GIOP requests, the the Gop start time is shown but Gop hold time is not. This is a difference to Wireshark (GUI) where the Gop hold time is shown in the dissection of all Pdus of each Gop for which both the request and response have been captured, and it seems quite logical that tshark does not show the hold time for request frames because at the time when tshark is processing the request, the response is not available yet so the hold time is not defined yet. However, while use of -2 seems to be an obvious remedy to that, running the command above with -2 appended actually prevents any mate field from being shown.

So assuming @Scott Harman has a previous experience allowing him to state that it no longer behaves as expected, I'd conclude it is a regression of the 2.0.1.

The consequence is that you cannot use any "forward filtering", as (using this particular case as example) -Y giop.type == 0 and mate.giop_req.Time > 1 never evaluates to true as mate.giop_req.Time is not defined yet when giop.type == 0.

(20 Feb '16, 10:56) sindy