This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Track specific diameter requests without response

0

Hi Experts,

Is there any functionality specific to diameter wherein I can track requests which don't have response or wherein response is other than success

I believe we can use following filter for processing radius traffic.

(radius.req && !radius.rspframe)

Please advise.

asked 24 Nov '16, 12:06

Vijay%20Gharge's gravatar image

Vijay Gharge
36151620
accept rate: 0%


One Answer:

1

The filter you've found for RADIUS, radius.req and !radius.rspframe, does identify requests without a matching response in the capture, as the embedded dissector creates the cross-reference pseudofields radius.reqframe and radius.rspframe.

The diameter dissector does the same, except that the pseudo-fields are called diameter.answer_to and diameter.answer_in. So the equivalent of your filter, showing only requests without a matching response, would be diameter.flags.request == 1 and !diameter.answer_in.

However, that's the maximum you can get from the embedded dissector.

To display-filter requests which have received responses with other than successful result, you need two things:

  • to define what an "other than successful result" means in your context, because not all diameter applications contain the Result-Code AVP. Is diameter.flags.error == 1 a sufficient criterion?

  • to use a Lua post-dissector or MATE to use fields from dissection trees of response packets for creation of your own pseudo-field(s) in the dissection tree of the request packets, allowing to display-filter the requests on these pseudo-fields. MATE does a lot of things automatically but in its own way, while Lua gives you more flexibility but you have to type much more to achieve the goal.

answered 25 Nov '16, 08:29

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 25 Nov '16, 13:40

Thanks @Sindy for answer. While I will definitely try first solution, working on 2nd solution (LUA / MATE) is beyond my capacity. Will attempt, though :-)

(25 Nov '16, 11:56) Vijay Gharge