MATE uses AVPs for almost everything: to keep the data it has extracted from the frames' trees as well as to keep the elements of the configuration.
These "pairs" (actually tuples) are made of a name, a value and, in case of configuration AVPs, an operator. Names and values are strings. AVPs with operators other than '=' are used only in the configuration and are used for matching AVPs of PDUs, GOPs and GOGs in the analysis phase.
The name is a string used to refer to a type of AVP. Two attributes won’t match unless their names are identical. Capitalized names are reserved for keywords (you can use them for your elements if you want but I think it’s not the case). MATE attribute names can be used in Wireshark’s display filters the same way like names of protocol fields provided by dissectors, but they are not just references to (or aliases of) protocol fields.
Currently only match operators are defined (there are plans to (re)add transform attributes but some internal issues have to be solved before that). The match operations are always performed between two operands: the value of an AVP stated in the configuration and the value of an AVP (or several AVPs with the same name) extracted from packet data (called "data AVPs"). It is not possible to match data AVPs to each other.
The defined match operators are:
This operator tests whether the values of the operator and the operand AVP are equal.
This operator matches if the value strings of two AVPs are not equal.
The "one of" operator matches if the data AVP value is equal to one of the values listed in the "one of" AVP.
The "starts with" operator matches if the first characters of the data AVP value are identical to the configuration AVP value.
The ends with operator will match if the last bytes of the data AVP value are equal to the configuration AVP value.
The "contains" operator will match if the data AVP value contains a string identical to the configuration AVP value.
The "lower than" operator will match if the data AVP value is semantically lower than the configuration AVP value.
BUGS
It should check whether the values are numbers and compare them numerically
The "higher than" operator will match if the data AVP value is semantically higher than the configuration AVP value.
Examples
attrib=bcd matches attrib>abc attrib=3 matches attrib>2 but beware: attrib=9 does not match attrib>10 attrib=abc does not match attrib>bcd attrib=abc does not match attrib>abc
BUGS
It should check whether the values are numbers and compare them numerically
PDUs, GOPs and GOGs use an AVPL to contain the tracing information. An AVPL is an unsorted set of AVPs that can be matched against other AVPLs.
There are three types of match operations that can be performed between AVPLs. The PDU’s/GOP’s/GOG’s AVPL will be always one of the operands; the AVPL operator (match type) and the second operand AVPL will always come from the configuration. Note that a diverse AVP match operator may be specified for each AVP in the configuration AVPL.
An AVPL match operation returns a result AVPL. In Transforms, the result AVPL may be replaced by another AVPL. The replacement means that the existing data AVPs are dropped and the replacement AVPL from the configuration is Merged to the data AVPL of the PDU/GOP/GOG.
A loose match between AVPLs succeeds if at least one of the data AVPs matches at least one of the configuration AVPs. Its result AVPL contains all the data AVPs that matched.
Loose matches are used in Extra operations against the PDU's AVPL to merge the result into GOP's AVPL, and against GOP's AVPL to merge the result into GOG's AVPL. They may also be used in Criteria and Transforms.
Note | |
---|---|
As of current (2.0.1), Loose Match does not work as described here, see issue 12184. Only use in Transforms and Criteria is effectively affected by the bug. |
Loose Match Examples
(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Loose (attr_a?, attr_c?) =⇒ (attr_a=aaa, attr_c=xxx)
(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Loose (attr_a?, attr_c=ccc) =⇒ (attr_a=aaa)
(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Loose (attr_a=xxx; attr_c=ccc) =⇒ No Match!
An "every" match between AVPLs succeeds if none of the configuration’s AVPs that have a counterpart in the data AVPL fails to match. Its result AVPL contains all the data AVPs that matched.
These may only be used in Criteria and Transforms.
Note | |
---|---|
As of current (2.0.1), Loose Match does not work as described here, see issue 12184. |
"Every" Match Examples
(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Every (attr_a?, attr_c?) =⇒ (attr_a=aaa, attr_c=xxx)
(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Every (attr_a?, attr_c?, attr_d=ddd) =⇒ (attr_a=aaa, attr_c=xxx)
(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Every (attr_a?, attr_c=ccc) =⇒ No Match!
(attr_a=aaa; attr_b=bbb; attr_c=xxx) Match Every (attr_a=xxx, attr_c=ccc) =⇒ No Match!
A Strict match between AVPLs succeeds if and only if every AVP in the configuration AVPL has at least one counterpart in the data AVPL and none of the AVP matches fails. The result AVPL contains all the data AVPs that matched.
These are used between GOP keys (key AVPLs) and PDU AVPLs. They may also be used in Criteria and Transforms.
Examples
(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Strict (attr_a?, attr_c=xxx) =⇒ (attr_a=aaa, attr_c=xxx)
(attr_a=aaa, attr_b=bbb, attr_c=xxx, attr_c=yyy) Match Strict (attr_a?, attr_c?) =⇒ (attr_a=aaa, attr_c=xxx, attr_c=yyy)
(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Strict (attr_a?, attr_c=ccc) =⇒ No Match!
(attr_a=aaa, attr_b=bbb, attr_c=xxx) Match Strict (attr_a?, attr_c?, attr_d?) =⇒ No Match!
An AVPL may be merged into another one. That would add to the latter every AVP from the former that does not already exist there.
This operation is done
Examples
(attr_a=aaa, attr_b=bbb) "merge" (attr_a=aaa, attr_c=xxx) former becomes (attr_a=aaa, attr_b=bbb, attr_c=xxx)
Can’t have multiple "attr_a" with same value "aaa"
(attr_a=aaa, attr_b=bbb) "merge" (attr_a=aaa, attr_a=xxx) former becomes (attr_a=aaa, attr_a=xxx, attr_b=bbb)
Multiple "attr_a" with different values "aaa" and "xxx"
(attr_a=aaa, attr_b=bbb) "merge" (attr_c=xxx, attr_d=ddd) former becomes (attr_a=aaa, attr_b=bbb, attr_c=xxx, attr_d=ddd)
All AVP names are unique so resulting AVPL contains all AVPs from both AVPLs