This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Exclude a request and its corresponding answer

0

Hello All,

I hope someone can help me out with this issue I am facing. I had a question regarding Wireshark filters. I am trying to filter out packets according to "Subscriber ID". However this attribute is only present in the "Request" packets. The "Answer" packets correspnding to these requests do not contain "Subscriber ID" attribute. As a result I end up having the packets of type "Answer". I tried to find a common attribute between the "Request" and "Answer" packets so that I can filter both types (Request and Answer) according to it; however I was not able to.

My question is the following; is there a way by which I can apply a filter that also removes any related packets? (in that case it is supposed to remove any "Answer" packets)

I find the way I described the filter I need confusing, in case any clarifications is needed please inform me.

Thanks a lot for the support !

This question is marked "community wiki".

asked 26 Jul '11, 01:50

walidbaher's gravatar image

walidbaher
1113
accept rate: 0%

edited 26 Jul '11, 02:02


2 Answers:

2

If you can find a way to group the answer to the request, you could use MATE to create Groups Of Packets for each subscriber ID and then (I think) filter on/out any GOPs with the Subscriber ID you're interested in.

answered 26 Jul '11, 10:14

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Thank you so much for your reply :).

I read about mate, however I have no idea how to use it :$ I checked a tutorial but was not able to follow it clearly. Namely I have this attribute in all the answer requests that I want to exclude (diameter.cmd.code == 280). I thought I filter out all the answers according to this attribute and then use MATE to get also their corresponding Requests, however I couldn't manage to do so.

Am I mistaken in the usage of MATE?

(28 Jul '11, 01:16) walidbaher
1

[BTW, your last "answer" isn't an answer, so you should probably convert it to a comment.]

Here's an example MATE file I used to use to detect SCTP retransmissions--back before Wireshark did so on its own:

Pdu sctp_pdu Proto sctp Transport ip {
        //Extract addr From ip.addr;
        //Extract port From sctp.port;
    Extract vtag From sctp.verification_tag;
    Extract tsn From sctp.data_tsn;
    //Extract sctp_chunk From sctp.chunk_type;
};

Gop sctpretrans On sctp_pdu Match (vtag, tsn) { Start(); Stop(never); };

Done;

This creates a GOP when the vtag and tsn match. In this case if I wanted to view everything that is NOT a retransmission, I could filter on “!sctpretrans”.

I believe you could do something similar: first create a GOP of requests+responses (which presumably have something in common) and then filter out that GOP. That would leave you only with requests with no answer and responses with no request (which is what I think you’re trying to do).

(28 Jul ‘11, 08:31) JeffMorriss ♦

Oops, sorry, looks like your last answer is a comment–I swear it wasn’t a few minutes ago, but maybe I was wrong!

(28 Jul ‘11, 08:34) JeffMorriss ♦

Lol ok no probs, I believe however that I posted my last comment as an answer as I remember clicking “Answer your own question”, anyways I am sorry for the confusion but I am still a wireshark/wireshark-ask newbie :D

Anyways I will read into your suggestions (GOP and so forth) to figure out how I can apply it in my case.

Thank you so much for your reply :)

(01 Aug ‘11, 00:40) walidbaher

0

There is a workaround. First of all make a backup of the trace :D. Then list all the "Requests" according to the attribute you are searching for. Then "Edit" -> "Ignore All Displayed Packets". As a result all the "Answers" relating to these packets will be marked with a black color and then you can find out which answers are of importance to you.

answered 26 Jul '11, 02:44

walidbaher's gravatar image

walidbaher
1113
accept rate: 0%