Luis EG Ontanon wrote:
> You should try applying the transformation to the Pdu and copy (using
> Extra) the "answered" attribute from pdu to gop, and finally to gog
[...]
Thanks a lot - works like a charm!! (With small modifications to your
proposal in order to extract "answered" instead of "ans" and matching
against "ldap_op" instead of "ldap.protocolOp")
I do have another problem now:
I try to correlate the LDAP with RADIUS traffic as well. As long as I
put only all the LDAP related stuff and the RADIUS Pdu section in MATE,
everything works. As soon as I insert the RADIUS Gop section, Wireshark
crashes with a failed assertion.
This happens only if the trace file contains RADIUS packets. It works,
though, if I keep both the RADIUS Pdu and Gop sections, but remove all
LDAP stuff.
The failed assertion is in line 193 of except.c.
The Expression is: top->except_type == XCEPT_CATCHER
(Not sure if that helps, but that's what the error message says...)
I'm using Wireshark 0.99.5 SVN Rev 20677
Unfortunately I cannot provide a sample trace file, as it includes
customer data that I must not publish or share with anybody.
best regards
Bernhard
================================snip====================================
Transform ans {
Match (ldap_op=4) Insert (answered);
};
Pdu ldap_pdu Proto ldap Transport tcp/ip {
Extract addr From ip.addr;
Extract port From tcp.port;
Extract ldap_op From ldap.protocolOp;
Extract ldap_msgid From ldap.messageID;
Extract ldap_search From ldap.assertionValue;
Extract ldap_res From ldap.objectName;
Transform ans;
};
Pdu radius_pdu Proto radius Transport udp/ip {
Extract addr From ip.addr;
Extract port From tcp.port;
Extract rad_op From radius.code;
Extract rad_msgid From radius.id;
Extract rad_clientip From radius.Framed-IP-Address;
};
Gop radius_ses On radius_pdu Match (rad_msgid, addr, addr, port, port) {
Start (rad_op=4);
Stop (rad_op=5);
Extra (rad_clientip);
};
Gop ldap_ses On ldap_pdu Match (ldap_msgid, addr, addr, port, port) {
Start (ldap_op=3);
Stop (ldap_op=5);
Extra (ldap_search, answered);
};
Gog user_all {
Member ldap_ses ( ldap_search );
Extra (answered);
};
Done;