Wireshark-users: Re: [Wireshark-users] MATE config syntax
From: "Luis EG Ontanon" <luis.ontanon@xxxxxxxxx>
Date: Fri, 10 Aug 2007 17:00:18 +0200
The first format (C-Like) is the current one, the "second" format was
the original (dropped) one.
In the odd story of the accidental development of MATE this format was
written for loading and testing an ISUP/H323/SIP only module, it came
to my view that the matching mechanism was versatile enough for a lot
of protocols so I used the test-loader as a mechanism to load and
configure the whole "thing". I never liked it as a "config language"
So I wrote the C-Like grammar that is used now, I just never took the
time to translate all the examples to the new grammar.
My *Big* fault is that I never fully documented the new (C-like) one.
For the other thing MATE and the Lua bindings bear no relation
whatsoever (besides the common Author). MATE uses a series of rules to
group Pdus while Lua is a full-blown programming language (somewhat
exotic butit is nice and fast) with bindings to the Wireshark API.
On 8/10/07, Sake Blok <sake@xxxxxxxxxx> wrote:
> Hi,
>
> I started to use MATE to link packets to each other in Wiresharl/Tshark
> and do some analysis on the set. I was able to get some things working
> aleady and I think it is a great plugin. I do have some questions
> though. When I look at the information on the Wiki I am a bit confused
> by the two syntax formats.
>
> The first format is like:
>
> Pdu dns_pdu Proto dns Transport ip {
> Extract addr From ip.addr;
> Extract dns_id From dns.id;
> Extract dns_resp From dns.flags.response;
> };
>
> The second format is like:
>
Transform start_cond {
Match (attr1=aaa, attr2=bbb) Insert (msg_type=start);
Match (attr3=www; attr2=bbb) Insert (msg_type=start);
Match (attr5^a ) Insert (msg_type=stop);
Match (attr6$z ) Insert (msg_type=start);
};
Pdu pdu ... {
...;
Transform start_cond
}
> Action=Transform; Name=start_cond; attr1=aaa; attr2=bbb; .msg_type=start;
> Action=Transform; Name=start_cond; attr3=www; attr2=bbb; .msg_type=start;
> Action=Transform; Name=start_cond; attr5^a; .msg_type=stop
> Action=Transform; Name=start_cond; attr6$z; .msg_type=stop;
>
> Action=PduDef; Name=pdu; ...
> Action=PduTransform; For=pdu; Name=start_cond;
>
> Action=GopDef; Name=gop; ...
> Action=GopStart; For=gop; msg_type=start;
> Action=GopStart; For=gop; msg_type=stop;
>
>
> At this time I find the first format much more clear, but most of
> the examples use the second format.
>
> Are the two totally interchangeable?
> If so, how should I translate one to the other? Any general rules on that?
> If not, which of the two is the "richest"? Is one just a replacement to
> the other?
>
>
> Another question is how MATE and LUA relate to each other, I know LUA is
> far more extensive in its possibilities, but is it also possible to easily
> write LUA scripts for the things MATE is good at? Ie, would learning to
> write LUA scripts make learning to write MATE scripts obsolete?
>
> Cheers,
>
>
> Sake
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
Propertarianism joined to capitalist vigor destroyed meaningful
commercial competition, but when it came to making good software,
anarchism won.
-- Eben Moglen
- References:
- [Wireshark-users] MATE config syntax
- From: Sake Blok
- [Wireshark-users] MATE config syntax
- Prev by Date: Re: [Wireshark-users] SSL Decryption
- Next by Date: Re: [Wireshark-users] SSL Decryption
- Previous by thread: [Wireshark-users] MATE config syntax
- Next by thread: [Wireshark-users] Capture Error
- Index(es):