This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

MATE: co-relate radius.User_Name and diameter.User-Name messages & extract sessions

0

Hi Experts,

Problem statement : I have big trace (>300 MB) which has radius and diameter requests. Username fields in both protocol are common for specific user's session lifetime - which I am treating as key for filtering traffic. I want to filter requests wherein I will get complete list (diameter and radius) of messages (requests and response) for user's entire session (as long as packets are available in trace :-) )

I wrote following MATE code :

Pdu radius_pdu Proto radius Transport ip {
Extract addr From ip.addr ;
Extract port From udp.port ;
Extract radius_id From radius.id ;
Extract username From radius.User_Name ;
Extract radius_code From radius.code ;
};

Gop radius_req On radius_pdu Match (radius_id, addr, addr, port, port) {
Start (radius_code {1|4|40|43} );
Stop (radius_code {2|3|5|41|42|44|45} );
Extra (username);
};


Pdu diameter_pdu Proto diameter Transport ip {
Extract command_code From diameter.cmd.code;
Extract app_id From diameter.applicationId;
Extract session_id From diameter.Session-Id;
Extract username From diameter.User-Name;
Extract e2eid From diameter.endtoendid;
};


Gop dia_tx On diameter_pdu Match (command_code, app_id, session_id, e2eid) {
Start();
Stop(never);
Extra (username);
};


Gog radius_diameter {
Member radius_req(username);
Member dia_tx(username);
Extra (username);
};


Done;

I tried to apply filters mate.radius_diameter.username == “123456789”. However I am still not able to get expected data. I want to understand if I am missing anything critical or I need to follow some other approach ?

asked 19 Dec ‘16, 08:19

Vijay%20Gharge's gravatar image

Vijay Gharge
36151620
accept rate: 0%

edited 19 Dec ‘16, 08:22

So what kind of data do you get?

Do the Radius and Diameter parts work independently (i.e., does the Diameter GOP give you all the packets for that user?)?

In general I’d think what you’re trying to do should work. I don’t (yet) see what the problem is though…

(19 Dec ‘16, 18:50) JeffMorriss ♦

Thanks Jeff for response.

  1. I can extract diameter / radius messages for specific user i.e. “123456789”. However I don’t see relevant “response messages” irrespective of radius or diameter. I am not sure what exactly is missing

  2. Since there are number of such users - I have to choose 1 user at a time & then apply mate.radius_diameter.username == “$username” filter. This approach just looks impossible. I will have to spend days to filter through complete trace

  3. As a end result - I want to extract complete list of messages across radius & diameter - wherein “diameter.Result-Code == 5002”

Kindly guide me through this. Thanks in advance.

(19 Dec ‘16, 21:36) Vijay Gharge

One Answer:

1
  1. So if you filter for dia_tx based on username you don't see the Diameter Answers? Looking at what you have there I would expect that to work. I'm not sure what's going on there.
  2. Well, it depends on what you're trying to do (see next item)...
  3. So it sounds like you need to add the Diameter Result-Code to the diameter_pdu, then to the dia_tx GOP and then also to the radius_diameter GOG. You /should/ then be able to filter for GOGs that have Result-Code == 5002 which /should/ then show you all the messages in that GOG (Radius and Diameter requests + answers).

At least that's the theory... Based on my memory... And it's been a while since I've used MATE.

BTW what version of Wireshark are you using?

answered 21 Dec '16, 18:51

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Hi Jeff,

Thanks for suggestion. I have managed to solve issue partially.

Following MATE code give me complete life-cycle of the user with few caveat i.e.

  1. radius request (except CoA) & diameter messages are using IPv6 transport. However Radius CoA message is using IPv4 transport. I am unable to co-relate "radius + coa + diameter" in single MATE filter. Except that all the messages are extracted properly
  2. I have to go over each and every diameter message which has 5002 Result-Code. Is there any way to get complete list of such messages (having 5002 Result-Code) instead of going over it again and again ? Do I have to use external bash script approach i.e. for loop -> grep -> sort -u ..etc. ?

Apologies, I couldn't format below message properly hence marked as answer. But voted your earlier message as Solution :-)

Code :

Pdu radius_pdu Proto radius Transport ipv6 {
Extract addr From ipv6.addr ;
Extract port From udp.port ;
Extract radius_id From radius.id ;
Extract username From radius.User_Name ;
Extract radius_code From radius.code ;
};

// Identifying PDU start / stop is critical


Gop radius_req On radius_pdu Match (addr, addr, port, port, radius_id ) {
Start (radius_code {1|4} );
Stop (radius_code {2|3|5} );
Extra (username); // This is the common key to link radius & diameter messages
};


Pdu radius_coa_pdu Proto radius Transport udp/ip {
Extract addr From ip.addr ;
Extract port From udp.port ;
Extract radius_id From radius.id ;
Extract username From radius.User_Name ;
Extract radius_code From radius.code ;
};


Gop coa_tx On radius_coa_pdu Match (addr, addr, port, port, radius_id ) {
Start (radius_code {40|43} );
Stop (radius_code {41|42|44|45} );
Extra (username);
};


Pdu diameter_pdu Proto diameter Transport ip {
Extract command_code From diameter.cmd.code;
Extract app_id From diameter.applicationId;
Extract session_id From diameter.Session-Id;
Extract username From diameter.User-Name;
Extract e2eid From diameter.endtoendid;
Extract diameter_code From diameter.Result-Code ;
};


Gop dia_tx On diameter_pdu Match (command_code, app_id, session_id, e2eid) {
Start();
Stop(never);
Extra (username, diameter_code);
};


// it is critical that both the members on Gog share exactly same key name i.e. username in this case.
// I tried setting one as radius_username & other as diameter_username but I could not filter PDUs with username as key


Gog radius_dia_results {
Member dia_tx(username);
Member radius_req(username);
Extra (username, diameter_code); // Extract username field to include in MATE PDU tree
};


Gog coa_dia_results {
Member dia_tx(username); // username is the common key to link radius & diameter messages
Member coa_tx(username); // username is the common key to link radius & diameter messages
Extra (username, diameter_code); // Extract username & diameter_code field to include in MATE PDU tree
};


Done;
(25 Dec ‘16, 14:13) Vijay Gharge

Glad you’re making progress. :-) I converted my comment to an answer your your answer to a comment (more or less as you suggested).

A note on formatting: yes, I frequently compose my comments in the answer window and then cut-n-paste it into the comment window. It makes the formatting easier…

  1. Two possibilities: a) can you simply change the Radius Transport to udp rather than ip and ipv6? I thought that would work. b) If that doesn’t do it can’t you add coa_tx(username) to radius_dia_results? A GOG isn’t limited to just 2 members and it doesn’t (shouldn’t) care if the transports are different.
  2. I assume you’re saying that you need to need to look at every message of every group of Radius and Diameter transactions that got a Diameter Result-Code of 5002, presumably one username at a time (i.e., username “12345” got a 5002 so now you need to go look at all the messages for that user leading up to that error)? Yes, I think you’re going to have to do that in 2 passes: one to get the list of usernames that got a 5002 and then a second pass to look at the messages for each problematic username. A bash/tshark script would be good for the first pass; how you do the second pass depends on how you want to look at the results. Personally I’d probably do a 2nd pass with tshark generating lots of PCAP files (one per problematic username) so I could view/browser the results in Wireshark.
(27 Dec ‘16, 07:34) JeffMorriss ♦