Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] MATE question

From: "Todd Carrozzi" <carrozzi@xxxxxxxxx>
Date: Thu, 15 Nov 2007 14:14:17 -0500
    I am a bit stymied as to how the MATE plugin works, and thus why I
can almost but not quite make it do what I want. What I am trying to
do(at a minimum) is add the ability to sort by TCP session in the
packet list view.  While trying to figure out how to do that, I was
fiddling with mate, and it occurred to  me that adding a column to
display the MATE GOP number could work, and then be reconfigurable by
MATE scripts.  So I managed to add such a column, and by adding the
following code(currently in mate_tree in packet-mate.c, but I had it
working about as well someplace else as well):
		if ( pdus && pdus->gop && check_col(pinfo->cinfo, COL_MATE_GOP)) {
	            col_add_fstr(pinfo->cinfo, COL_MATE_GOP, "%8d:%s",
(pdus->gop->id),(pdus->gop->cfg->name));
		}
I can configure mate with the example tcp.mate script, and load a file
with a bunch of web traffic, and all the TCP packets have the column
filled in , and ARP, ICMP, etc do not, exactly as expected.  However,
the packets classified as HTTP, while having the correct MATE
information listed in the protocol tree, has a blank value for my new
column, and thus doesn't sort in with the rest of the session it
belongs to.  If I turn off HTTP dissection, it all works.  I know the
Info column is cleared and filled in by later dissectors, but clearly
nothing knows about my new column but me, so it isn't being manually
cleared.
   I then dug into where the handoff occurs, and then noticed that
MATE registers itself as a frame tap, although the packet callback is
an empty routine.  So now I am confused as to a) how MATE actually
gets handed packets, and b) why my column ever works if I am calling
it from a tap.  Anyway, if anyone has any suggestions, and or an
explanation as to how packets flow through MATE, I'd greatly
appreciate it.

                                                  Thanks,

                                                    Todd Carrozzi