Wireshark-users: Re: [Wireshark-users] MATE transformations
From: "Luis EG Ontanon" <luis.ontanon@xxxxxxxxx>
Date: Thu, 21 Jun 2007 02:02:01 +0200
You should try applying the transformation to the Pdu and copy (using Extra) the "answered" attribute from pdu to gop, and finally to gog On 6/20/07, Bernhard Bock <mailinglists@xxxxxxx> wrote:
All, I have a question regarding Wiresharks MATE (Meta Analysis and Tracing Engine). First of all, let me try to describe what I want to accomplish: I do have a LDAP query interface, where lots of similar queries are performed. Some queries result in exacly one result, some do yield no result at all. Also, this may change during time as the LDAP directory content is highly dynamic. All queries are done inside of a few LDAP/TCP sessions. I try to filter in Wireshark for specific LDAP filters, and group them together in order to find all traffic related to one LDAP entry. Also, I want to filter which LDAP filters yield no result at all, and which are always answered positively and which change over time. Now, let me describe what works for me and what doesn't: In order to accomplish my task, I group all packets belonging to one LDAP query (same ldap.messageID) to one Group of Packets (GOP), and all queries with the same filter (ldap.assertionValue) to one Group of Groups (GOG). This works fine so far. Then, I try to transform all GOPs containing an LDAP searchResEntry (ldap.protocolOp=4, which means a result entry was found). The transformation shall insert an AVP in the GOP for further processing (answered=1). This does not work as desired. Wireshark always inserts answered=1 into all GOPs, or into none. I tried with all matching rules (strict, loose, every), but cannot make this work. Can anybody give me a hint please? Please keep me on CC, as I am not subscribed to the list. best regards Bernhard ================================snip==================================== Transform ans { Match Strict (ldap.protocolOp=4) Insert (answered=1); }; Pdu ldap_pdu Proto ldap Transport tcp/ip { Extract addr From ip.addr; Extract port From tcp.port; Extract ldap_op From ldap.protocolOp; Extract ldap_msgid From ldap.messageID; Extract ldap_search From ldap.assertionValue;
Transform ans;
}; Gop ldap_ses On ldap_pdu Match (ldap_msgid, addr, addr, port, port) { Start (ldap_op=3); Stop (ldap_op=5);
Extra (ldap_search , ans);
}; Gog user_all { Member ldap_ses ( ldap_search );
Extra (ans);
}; Done; _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users
-- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan
- References:
- [Wireshark-users] MATE transformations
- From: Bernhard Bock
- [Wireshark-users] MATE transformations
- Prev by Date: [Wireshark-users] MATE transformations
- Next by Date: Re: [Wireshark-users] ssl decryption on Win32 (snakeoil example)?
- Previous by thread: [Wireshark-users] MATE transformations
- Next by thread: Re: [Wireshark-users] MATE transformations
- Index(es):
- Get Wireshark
- Download
- Code of Conduct