This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello All,

I hope someone can help me out with this issue I am facing. I had a question regarding Wireshark filters. I am trying to filter out packets according to "Subscriber ID". However this attribute is only present in the "Request" packets. The "Answer" packets correspnding to these requests do not contain "Subscriber ID" attribute. As a result I end up having the packets of type "Answer". I tried to find a common attribute between the "Request" and "Answer" packets so that I can filter both types (Request and Answer) according to it; however I was not able to.

My question is the following; is there a way by which I can apply a filter that also removes any related packets? (in that case it is supposed to remove any "Answer" packets)

I find the way I described the filter I need confusing, in case any clarifications is needed please inform me.

Thanks a lot for the support !

This question is marked "community wiki".

asked 26 Jul '11, 01:50

walidbaher's gravatar image

walidbaher
1113
accept rate: 0%

edited 26 Jul '11, 02:02


If you can find a way to group the answer to the request, you could use MATE to create Groups Of Packets for each subscriber ID and then (I think) filter on/out any GOPs with the Subscriber ID you're interested in.

permanent link

answered 26 Jul '11, 10:14

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Thank you so much for your reply :).

I read about mate, however I have no idea how to use it :$ I checked a tutorial but was not able to follow it clearly. Namely I have this attribute in all the answer requests that I want to exclude (diameter.cmd.code == 280). I thought I filter out all the answers according to this attribute and then use MATE to get also their corresponding Requests, however I couldn't manage to do so.

Am I mistaken in the usage of MATE?

(28 Jul '11, 01:16) walidbaher
1

[BTW, your last "answer" isn't an answer, so you should probably convert it to a comment.]

Here's an example MATE file I used to use to detect SCTP retransmissions--back before Wireshark did so on its own:

Pdu sctp_pdu Proto sctp Transport ip {
        //Extract addr From ip.addr;
        //Extract port From sctp.port;
    Extract vtag From sctp.verification_tag;
    Extract tsn From sctp.data_tsn;
    //Extract sctp_chunk From sctp.chunk_type;
};

Gop sctpretrans On sctp_pdu Match (vtag, tsn) {
    Start();
    Stop(never);
};

Done;

This creates a GOP when the vtag and tsn match. In this case if I wanted to view everything that is NOT a retransmission, I could filter on "!sctpretrans".

I believe you could do something similar: first create a GOP of requests+responses (which presumably have something in common) and then filter out that GOP. That would leave you only with requests with no answer and responses with no request (which is what I think you're trying to do).

(28 Jul '11, 08:31) JeffMorriss ♦

Oops, sorry, looks like your last answer is a comment--I swear it wasn't a few minutes ago, but maybe I was wrong!

(28 Jul '11, 08:34) JeffMorriss ♦

Lol ok no probs, I believe however that I posted my last comment as an answer as I remember clicking "Answer your own question", anyways I am sorry for the confusion but I am still a wireshark/wireshark-ask newbie :D

Anyways I will read into your suggestions (GOP and so forth) to figure out how I can apply it in my case.

Thank you so much for your reply :)

(01 Aug '11, 00:40) walidbaher

There is a workaround. First of all make a backup of the trace :D. Then list all the "Requests" according to the attribute you are searching for. Then "Edit" -> "Ignore All Displayed Packets". As a result all the "Answers" relating to these packets will be marked with a black color and then you can find out which answers are of importance to you.

permanent link

answered 26 Jul '11, 02:44

walidbaher's gravatar image

walidbaher
1113
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×349
×27
×2
×1

question asked: 26 Jul '11, 01:50

question was seen: 5,669 times

last updated: 01 Aug '11, 00:40

p​o​w​e​r​e​d by O​S​Q​A