Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] MATE transformations

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Luis EG Ontanon" <luis.ontanon@xxxxxxxxx>
Date: Thu, 21 Jun 2007 02:02:01 +0200
You should try applying the transformation to the Pdu and copy (using
Extra) the "answered"  attribute from pdu to gop, and finally to gog

On 6/20/07, Bernhard Bock <mailinglists@xxxxxxx> wrote:

All,

I have a question regarding Wiresharks MATE (Meta Analysis and Tracing
Engine).

First of all, let me try to describe what I want to accomplish:

I do have a LDAP query interface, where lots of similar queries are
performed. Some queries result in exacly one result, some do yield no
result at all. Also, this may change during time as the LDAP directory
content is highly dynamic. All queries are done inside of a few LDAP/TCP
sessions.

I try to filter in Wireshark for specific LDAP filters, and group them
together in order to find all traffic related to one LDAP entry. Also, I
want to filter which LDAP filters yield no result at all, and which are
always answered positively and which change over time.

Now, let me describe what works for me and what doesn't:

In order to accomplish my task, I group all packets belonging to one
LDAP query (same ldap.messageID) to one Group of Packets (GOP), and all
queries with the same filter (ldap.assertionValue) to one Group of
Groups (GOG). This works fine so far.

Then, I try to transform all GOPs containing an LDAP searchResEntry
(ldap.protocolOp=4, which means a result entry was found). The
transformation shall insert an AVP in the GOP for further processing
(answered=1). This does not work as desired.
Wireshark always inserts answered=1 into all GOPs, or into none. I tried
with all matching rules (strict, loose, every), but cannot make this work.

Can anybody give me a hint please?

Please keep me on CC, as I am not subscribed to the list.

best regards
Bernhard


================================snip====================================
Transform ans {
        Match Strict (ldap.protocolOp=4) Insert (answered=1);
};

Pdu ldap_pdu Proto ldap Transport tcp/ip {
   Extract addr From ip.addr;
   Extract port From tcp.port;
   Extract ldap_op From ldap.protocolOp;
   Extract ldap_msgid From ldap.messageID;
   Extract ldap_search From ldap.assertionValue;


Transform ans;


};

Gop ldap_ses On ldap_pdu Match (ldap_msgid, addr, addr, port, port) {
   Start (ldap_op=3);
   Stop (ldap_op=5);


Extra (ldap_search , ans);


};

Gog user_all {
   Member ldap_ses ( ldap_search );


     Extra (ans);


};

Done;

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users




--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube