Chapter 12. MATE

Table of Contents

12.1. Introduction
12.2. Getting Started
12.3. MATE Manual
12.3.1. Introduction
12.3.2. Attribute Value Pairs
12.3.3. AVP lists
12.3.4. MATE Analysis
12.3.5. About MATE
12.4. MATE’s configuration tutorial
12.4.1. A Gop for DNS requests
12.4.2. A Gop for HTTP requests
12.4.3. Getting DNS and HTTP together into a Gog
12.4.4. Separating requests from multiple users
12.5. MATE configuration examples
12.5.1. TCP session
12.5.2. a Gog for a complete FTP session
12.5.3. using RADIUS to filter SMTP traffic of a specific user
12.5.4. H323 Calls
12.5.5. MMS
12.6. MATE’s configuration library
12.6.1. General use protocols
12.6.2. VoIP/Telephony
12.7. MATE’s reference manual
12.7.1. Attribute Value Pairs
12.7.2. Attribute/Value Pair List (AVPL)
12.8. Configuration AVPLs
12.8.1. Pdsu’s configuration actions

12.1. Introduction

MATE: Meta Analysis and Tracing Engine

What is MATE? Well, to keep it very short, with MATE you can create user configurable extension(s) of the display filter engine.

MATE’s goal is to enable users to filter frames based on information extracted from related frames or information on how frames relate to each other. MATE was written to help troubleshooting gateways and other systems where a "use" involves more protocols. However MATE can be used as well to analyze other issues regarding a interaction between packets like response times, incompleteness of transactions, presence/absence of certain attributes in a group of PDUs and more.

MATE is a Wireshark plugin that allows the user to specify how different frames are related to each other. To do so, MATE extracts data from the frames' tree and then, using that information, tries to group the frames based on how MATE is configured. Once the PDUs are related MATE will create a "protocol" tree with fields the user can filter with. The fields will be almost the same for all the related frames, so one can filter a complete session spanning several frames containing more protocols based on an attribute appearing in some related frame. Other than that MATE allows to filter frames based on response times, number of PDUs in a group and a lot more.

So far MATE has been used to:

  • Filter all packets of a call using various protocols knowing just the calling number. (MATE’s original goal)
  • Filter all packets of all calls using various protocols based on the release cause of one of its "segments".
  • Extrapolate slow transactions from very "dense" captures. (finding requests that timeout)
  • Find incomplete transactions (no responses)
  • Follow requests through more gateways/proxies.
  • more…​