Wireshark · Ethereal-dev: Re: [Ethereal-dev] using MATE to detect SCTP retransmissions

Ethereal-dev: Re: [Ethereal-dev] using MATE to detect SCTP retransmissions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Fri, 11 Nov 2005 19:13:46 +0100

On 11/11/05, Jeff Morriss <jeff.morriss@xxxxxxxxxxx> wrote:
>
> I've got a huge capture file with lots of SCTP retransmissions.  I'd
> like to have an easy way to find them and (since we don't have SCTP
> analysis similar to the TCP analysis yet) I started playing around with
> MATE.
>
>  From reading the docs I thought I could create a Gop of SCTP PDUs whose
> only matching criteria was the Vtag and TSN, something like:
>
> Pdu sctp_pdu Proto sctp Transport ip {
>          //Extract addr From ip.addr;
>          //Extract port From sctp.port;
>          Extract vtag From sctp.verification_tag;
>          Extract tsn From sctp.data_tsn;
>          Extract sctp_chunk From sctp.chunk_type;
> };
>
> Gop sctpretrans On sctp_pdu Match (vtag, tsn) {
>          Stop(sctp_chunk=6);
> };
>
> Done;
>
> (I've already filtered the file down so there's only my association in
> there.)
>
> MATE picks up the sctp_pdu's but not the Gops.  Any ideas why?  Any
> ideas for a better way to do it?  (I want to find the retransmissions
> and check the time between the transmissions.)
>

My fault, what you did should do the job. Gops with a missing Start
Condition appear not to be working... I'll take a look at it.

> (I also tried not having any Start or Stop conditions to the Gop but the
> parser didn't like that thus the basically useless--for what I'm trying
> to do--Stop condition.  Really, my Start condition is that the PDU
> matched and my Stop condition is the end of the capture file.)

The grammar is missing the possibility of an empty Gop Statement...
I'll add that.

So, going back to your problem. You basically want to start a Gop
whenever a new VTAG-TSN pair appears and never stop it.

Pdu sctp_pdu Proto sctp Transport ip {
        Extract vtag From sctp.verification_tag;
        Extract tsn From sctp.data_tsn;
        Extract sctp_chunk From sctp.chunk_type;
};

Gop sctpretrans On sctp_pdu Match (vtag, tsn) {
    Start ();
     // the empty avpl will allways match (yielding an empty avpl)
     // BTW it is exactly what a Gop with no Start condition should be
doing internally.

    Stop (never);
    // there's no way a "never" avp will be found in a Pdu.
};

// you can filter retransmited packets with
// mate.sctpretrans.NumOfPdus > 1

Done;

--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan

Follow-Ups:
- Re: [Ethereal-dev] using MATE to detect SCTP retransmissions
  - From: Jeff Morriss

References:
- [Ethereal-dev] using MATE to detect SCTP retransmissions
  - From: Jeff Morriss

Prev by Date: [Ethereal-dev] Update to NCP dissector
Next by Date: Re: [Ethereal-dev] using MATE to detect SCTP retransmissions
Previous by thread: [Ethereal-dev] using MATE to detect SCTP retransmissions
Next by thread: Re: [Ethereal-dev] using MATE to detect SCTP retransmissions
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$