Chapter 12. MATE
Prev   Next

Chapter 12. MATE

Table of Contents

12.1. Introduction
12.2. Getting Started
12.3. MATE Overview
12.3.1. Introduction
12.3.2. Attribute Value Pairs (AVP)
12.3.3. AVP lists (AVPL)
12.4. MATE Frame Analysis
12.4.1. Create PDUs (Phase 1)
12.4.2. Grouping PDUs together (GOP) (Phase 2)
12.4.3. Grouping GOPs together (GOG) (Phase 3)
12.4.4. Adjust data (AVPL Transforms)
12.5. MATE’s configuration tutorial
12.5.1. A GOP for DNS requests
12.5.2. A GOP for HTTP requests
12.5.3. Getting DNS and HTTP together into a GOG
12.5.4. Separating requests from multiple users
12.6. MATE configuration examples
12.6.1. TCP session (tcp.mate)
12.6.2. a GOG for a complete FTP session
12.6.3. using RADIUS to filter SMTP traffic of a specific user
12.6.4. H323 Calls
12.6.5. MMS
12.7. MATE’s configuration library
12.7.1. General use protocols
12.7.2. VoIP/Telephony
12.8. MATE’s reference manual
12.8.1. Attribute Value Pairs (AVP)
12.8.2. AVP Operators (=,!,{},^,$,~,<,>,?)
12.8.3. Attribute Value Pair List (AVPL)
12.8.4. Operations between AVPLs (Match)
12.8.5. AVPL Merge
12.9. Configuration Reference (mate.config)
12.9.1. PDU declaration block
12.9.2. GOP declaration block
12.9.3. GOG declaration block
12.9.4. Transform declaration block
12.9.5. Settings configuration AVPL
12.9.6. Debugging Stuff
12.9.7. Action=Include

12.1. Introduction

MATE: Meta Analysis and Tracing Engine

What is MATE? Well, to keep it very short, with MATE you can create user configurable extension(s) of the display filter engine.

MATE’s goal is to enable users to filter frames based on information extracted from related frames or information on how frames relate to each other. MATE was written to help troubleshooting gateways and other systems where a "use" involves more protocols. However, MATE can be used as well to analyze other issues regarding an interaction between packets like response times, incompleteness of transactions, presence/absence of certain attributes in a group of Protocol Data Units (PDUs) and more.

MATE is a Wireshark plugin that allows the user to specify how different frames are related to each other. To do so, MATE extracts data from the frames' tree and then, using that information, tries to group the frames based on how MATE is configured. Once the PDUs are related, MATE will create a "protocol" tree with fields the user can filter with. The fields will be almost the same for all the related frames, so one can filter a complete session spanning several frames containing more protocols based on an attribute appearing in some related frame. Other than that MATE allows to filter frames based on response times, number of PDUs in a group and a lot more.

So far MATE has been used to:

  • Filter all packets of a call using various protocols knowing just the calling number. (MATE’s original goal)
  • Filter all packets of all calls using various protocols based on the release cause of one of its "segments".
  • Extrapolate slow transactions from very "dense" captures. (finding requests that timeout)
  • Find incomplete transactions (no responses)
  • Follow requests through more gateways/proxies.
  • more…​
Prev   Next
11.22. Protobuf UDP Message Types Home 12.2. Getting Started