Wireshark-users: [Wireshark-users] traffic correlation through mate plugin
From: "sylvain meilard" <sylvain.meilard@xxxxxxxxx>
Date: Thu, 5 Jun 2008 09:33:03 +0200
Hello !
I am trying to group some SIP,Diameter and DNS packets from a large (50 Mo) pcap file by using the mate plugin, but for now, it's not yet a success.
Here is my 3 definition of PDU :
------------------------------------------------------------------------------------------------
Pdu sip_pdu Proto sip Transport udp {
Extract sip_addr From sip.from.addr;
Extract sip_cseq From sip.CSeq;
Extract sip_callid From sip.Call-ID;
Extract sip_method From sip.Method ;
};
Pdu diameter_pdu Proto diameter Transport tcp {
Extract diameter_query_or_answer From diameter.flags.request;
Extract diameter_PublicID From diameter.Public-Identity;
Extract diameter_session_id From diameter.Session-Id;
};
// only match NAPTR reqeust/reply (type 0x0023)
Pdu dns_pdu Proto dns Transport udp {
Extract dns_query_name From dns.qry.name ;
Extract dns_query_or_answer From dns.flags.response;
Extract dns_query_type From dns.qry.type;
Criteria Accept Strict (dns_query_type=35);
};
// Here is how i group my pdu :
Gop echange_diameter On diameter_pdu Match ( diameter_session_id ) {
Start ( diameter_query_or_answer = 1 );
Stop ( diameter_query_or_answer = 0 );
Extra ( diameter_PublicID );
};
Gop echange_dns On dns_pdu Match ( dns_query_name ) {
Start ( dns_query_or_answer = 0 );
Stop ( dns_query_or_answer = 1 );
};
Gop echange_sip On sip_pdu Match ( sip_callid ) {
Start ( sip_method = "REGISTER" );
};
// An to end up, the group of group of pdu :
Gog traffic_from_a_sip_call {
Member echange_diameter ( diameter_PublicID );
Member echange_sip (sip_addr);
};
------------------------------------------------------------------------------------------------
I can't correlate diameter packet with sip packet like described in the traffic_from_a_sip_call Gop, since in sip packet, the sip.from.addr contains the originating port at the end.
For example, it lokk like in a sip packet :
sip.from.addr == "sip:+0123456789@xxxxxxxxxxxxxx:5060"
the diameter corresponding packets will have a field like that :
diameter.Public-Identity == "sip:+0123456789@xxxxxxxxxxxxxx"
So it won't match..... Is it possible (and how ?) to transform sip extracted filed to truncate the originating port part ?
I also want to correlate some DNS traffic with the sip and diameter traffic, on this dns field :
dns.qry.name == "9.8.7.6.5.4.3.2.1.0.phone-number.my-company.net"
Here, the phone number is reversed, and there is a dot between each number...
Any idea concerning this ? is it only possible with Mate ?
And the last, but not least question : i want to split my large pcap file into a lot of small pcap file containing only the correlated traffic. I can see that mate add some usefull informations in wireshark, or with the -V option of tshark, but can it do something like extract the packet from the pcap file, or just print the list of gog, anf the list of pdu for each gog ?
I have to say that i have read all pages on wiki.wireshark.org/Mate without finding answers to my question, so i'm afraid i have to give up or read the code and try to implement what i need...
Regards,
sylvain
I am trying to group some SIP,Diameter and DNS packets from a large (50 Mo) pcap file by using the mate plugin, but for now, it's not yet a success.
Here is my 3 definition of PDU :
------------------------------------------------------------------------------------------------
Pdu sip_pdu Proto sip Transport udp {
Extract sip_addr From sip.from.addr;
Extract sip_cseq From sip.CSeq;
Extract sip_callid From sip.Call-ID;
Extract sip_method From sip.Method ;
};
Pdu diameter_pdu Proto diameter Transport tcp {
Extract diameter_query_or_answer From diameter.flags.request;
Extract diameter_PublicID From diameter.Public-Identity;
Extract diameter_session_id From diameter.Session-Id;
};
// only match NAPTR reqeust/reply (type 0x0023)
Pdu dns_pdu Proto dns Transport udp {
Extract dns_query_name From dns.qry.name ;
Extract dns_query_or_answer From dns.flags.response;
Extract dns_query_type From dns.qry.type;
Criteria Accept Strict (dns_query_type=35);
};
// Here is how i group my pdu :
Gop echange_diameter On diameter_pdu Match ( diameter_session_id ) {
Start ( diameter_query_or_answer = 1 );
Stop ( diameter_query_or_answer = 0 );
Extra ( diameter_PublicID );
};
Gop echange_dns On dns_pdu Match ( dns_query_name ) {
Start ( dns_query_or_answer = 0 );
Stop ( dns_query_or_answer = 1 );
};
Gop echange_sip On sip_pdu Match ( sip_callid ) {
Start ( sip_method = "REGISTER" );
};
// An to end up, the group of group of pdu :
Gog traffic_from_a_sip_call {
Member echange_diameter ( diameter_PublicID );
Member echange_sip (sip_addr);
};
------------------------------------------------------------------------------------------------
I can't correlate diameter packet with sip packet like described in the traffic_from_a_sip_call Gop, since in sip packet, the sip.from.addr contains the originating port at the end.
For example, it lokk like in a sip packet :
sip.from.addr == "sip:+0123456789@xxxxxxxxxxxxxx:5060"
the diameter corresponding packets will have a field like that :
diameter.Public-Identity == "sip:+0123456789@xxxxxxxxxxxxxx"
So it won't match..... Is it possible (and how ?) to transform sip extracted filed to truncate the originating port part ?
I also want to correlate some DNS traffic with the sip and diameter traffic, on this dns field :
dns.qry.name == "9.8.7.6.5.4.3.2.1.0.phone-number.my-company.net"
Here, the phone number is reversed, and there is a dot between each number...
Any idea concerning this ? is it only possible with Mate ?
And the last, but not least question : i want to split my large pcap file into a lot of small pcap file containing only the correlated traffic. I can see that mate add some usefull informations in wireshark, or with the -V option of tshark, but can it do something like extract the packet from the pcap file, or just print the list of gog, anf the list of pdu for each gog ?
I have to say that i have read all pages on wiki.wireshark.org/Mate without finding answers to my question, so i'm afraid i have to give up or read the code and try to implement what i need...
Regards,
sylvain
- Prev by Date: Re: [Wireshark-users] How can get more than 1024 files with tshark ringbuffer?
- Next by Date: Re: [Wireshark-users] Tshark command on vista
- Previous by thread: Re: [Wireshark-users] Problem Decoding TCP Port 8080 as HTTP
- Next by thread: [Wireshark-users] 回复:Wireshark-users Digest, Vol 25, Issue 4
- Index(es):