Re: [Wireshark-dev] filters diameter
On Tue, Jul 10, 2007 at 08:42:15PM +0200, Luis EG Ontanon wrote: A year or more ago I abandoned a way towards (3) (similar to what I did for radius dictionary) a while ago, due to a personal lack of diameter use after switching jobs and a stall about how to handle recursion in attribute_groups. I will be able to get back into it in September (I'll be off-contract and unable to move from Rome). Please remind me then or as an alternative I could send the work-in-progress for someone else to deal with it. cristian: o.k. since I have started all this, I guess I could try having a look. so, luis if you can send me please the patches or whatever you have already impl. bye now! cristian ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] filters diameter
On 7/10/07, Luis EG Ontanon [EMAIL PROTECTED] wrote: A year or more ago I abandoned a way towards (3) (similar to what I did for radius dictionary) a while ago, due to a personal lack of diameter use after switching jobs and a stall about how to handle recursion in attribute_groups. I will be able to get back into it in September (I'll be off-contract and unable to move from Rome). Please remind me then or as an alternative I could send the work-in-progress for someone else to deal with it. I think this would make the Diameter dissector much more useful to users who are trying to understand diameter message flows. My personal use of the dissector is mainly to help verify that our implementation of the various interfaces we support encodes and decodes properly (hence my modifications to find and diagnose undecoded or malformed AVPs)... BTW In an early MATE prototype (befor having it defining fields for every user defined element) I used string fields like mate.pdu_avp == avp_name=string_repr_of_value, those allow to actually filter. I thought about this quick and dirty solution for radius before writing its dictionary support. I wondered if MATE or the LUA support could make this kind of filtering possible, but dynamically creating filters is obviously the right way to do it. ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] filters diameter
On Tue, Jul 10, 2007 at 06:49:37PM +0100, Martin Mathieson wrote: OK, I just implemented (2) with change 22284. You should be able to right-click on a whole AVP that matches the code you're interested in, choose 'Prepare as Filter | Selected', edit the last 4 bytes and apply it. cristian: o.k. thanks a lot for letting me know. I did not know that my misinterpretation of the semantics of wireshark diameter filtering capabilities will trigger some new feature implementation... :-) bye now! cristian ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] filters diameter
On 7/11/07, Martin Mathieson [EMAIL PROTECTED] wrote: On 7/10/07, Luis EG Ontanon [EMAIL PROTECTED] wrote: I wondered if MATE or the LUA support could make this kind of filtering possible, but dynamically creating filters is obviously the right way to do it. In MATE there's no way (mate fields are unmodifiable strings containing the text representation of another field). But Lua could do (since you added diameter.avp): a postdissector fetches the diameter.avp finfos gets the tvb of them and redissects each field. A dictionary parser in lua should be easy to write (there's ton's of xml parsers written for every purpose arrount to start from)... But I fully agree that dynamically creating filters is obviously the right way to do it... and C does it better. The issue that blocked me was on how to handle Group AVPs, I cannot just ignore them (e.g. an hypotetical group {addr,prt} could lead to server.addr and server.prt vs client.addr and client.prt and they should be different), Group AVPs lead to recursion (if the recurring subgroup is non Mandatory it might be possible to have them but http://tools.ietf.org/html/rfc3588#section-4.4 says nothing about it) -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] filters diameter
Am I right in believing that the Diameter dissector currently ignores the gavp entries within a grouped avp? It may be just as useful (and much less effort?) to only filter based on the innermost AVP without embedding them. e.g. just support e.g. - diameter.avp.server - diameter.avp.client - diameter.avp.addr (may be inside a client or server) - diameter.avp.port (may be inside a client or server) rather than - diameter.avp.server - diameter.avp.client - diameter.avp.server.addr - diameter.avp.server.port - diameter.avp.client.addr - diameter.avp.client.port If we only supported the second form, there will be times when you want to filter based on just the value of addr (i.e. the first form). It would be confusing to have both in the tree. But like I said, I've never really had to follow a diameter message flow, so I could be wrong about which form of filters would be the most useful. On 7/11/07, Luis EG Ontanon [EMAIL PROTECTED] wrote: On 7/11/07, Martin Mathieson [EMAIL PROTECTED] wrote: On 7/10/07, Luis EG Ontanon [EMAIL PROTECTED] wrote: I wondered if MATE or the LUA support could make this kind of filtering possible, but dynamically creating filters is obviously the right way to do it. In MATE there's no way (mate fields are unmodifiable strings containing the text representation of another field). But Lua could do (since you added diameter.avp): a postdissector fetches the diameter.avp finfos gets the tvb of them and redissects each field. A dictionary parser in lua should be easy to write (there's ton's of xml parsers written for every purpose arrount to start from)... But I fully agree that dynamically creating filters is obviously the right way to do it... and C does it better. The issue that blocked me was on how to handle Group AVPs, I cannot just ignore them (e.g. an hypotetical group {addr,prt} could lead to server.addr and server.prt vs client.addr and client.prt and they should be different), Group AVPs lead to recursion (if the recurring subgroup is non Mandatory it might be possible to have them but http://tools.ietf.org/html/rfc3588#section-4.4 says nothing about it) -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] filters diameter
That expression will match any frame that has at least one avp with code value 829 and at least one avp whose data is uint32 whose value is 1. I suspect that what you want is to match the *same* AVP with both parts of the expression, which I don't think is possible with a simple display filter. Martin On 7/10/07, cco [EMAIL PROTECTED] wrote: hi! has anyone tested a filter like this: (diameter.avp.code == 829) (diameter.avp.data.uint32 == 1) is it suppossed to work? is it actually working in your config/ver? in my version, it does not in the sense that it will always show all the diameter commands having an avp with the code 829 but _not_ the ones in which this avp has the value 1. I am using Version 0.99.4 / linux thanks! bye now! cristian ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] filters diameter
Hi Christian, As you are probably aware, version 0.99.6 came out a few days back which I am sure has several fixes, including those for the diameter dissector. Have you tried using the latest version? Hope this helps, Abhik. On 7/10/07, cco [EMAIL PROTECTED] wrote: hi! has anyone tested a filter like this: (diameter.avp.code == 829) (diameter.avp.data.uint32 == 1) is it suppossed to work? is it actually working in your config/ver? in my version, it does not in the sense that it will always show all the diameter commands having an avp with the code 829 but _not_ the ones in which this avp has the value 1. I am using Version 0.99.4 / linux thanks! bye now! cristian ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] filters diameter
There are several ways this could be tackled: (1) A script. Export capture to PDML, parse output and match/check them yourself (2) We could add a new filterable field, diameter.avp, whose type was hex data. You could right-click to create a filter for that AVP, then edit the last word to check for the value you want (you could sort of do this now, but it would only filter at a fixed position within the message) (3) The diameter dissector could be changed to generate filterable fields for each AVP. Then you could filter on e.g. diameter.avp.Role-of-Node.value == 1 I could do (2), but I'm not volunteering for (3). Martin On 7/10/07, Abhik Sarkar [EMAIL PROTECTED] wrote: Hi Christian, As you are probably aware, version 0.99.6 came out a few days back which I am sure has several fixes, including those for the diameter dissector. Have you tried using the latest version? Hope this helps, Abhik. On 7/10/07, cco [EMAIL PROTECTED] wrote: hi! has anyone tested a filter like this: (diameter.avp.code == 829) (diameter.avp.data.uint32 == 1) is it suppossed to work? is it actually working in your config/ver? in my version, it does not in the sense that it will always show all the diameter commands having an avp with the code 829 but _not_ the ones in which this avp has the value 1. I am using Version 0.99.4 / linux thanks! bye now! cristian ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] filters diameter
OK, I just implemented (2) with change 22284. You should be able to right-click on a whole AVP that matches the code you're interested in, choose 'Prepare as Filter | Selected', edit the last 4 bytes and apply it. Martin On 7/10/07, Martin Mathieson [EMAIL PROTECTED] wrote: There are several ways this could be tackled: (1) A script. Export capture to PDML, parse output and match/check them yourself (2) We could add a new filterable field, diameter.avp, whose type was hex data. You could right-click to create a filter for that AVP, then edit the last word to check for the value you want (you could sort of do this now, but it would only filter at a fixed position within the message) (3) The diameter dissector could be changed to generate filterable fields for each AVP. Then you could filter on e.g. diameter.avp.Role-of-Node.value == 1 I could do (2), but I'm not volunteering for (3). Martin On 7/10/07, Abhik Sarkar [EMAIL PROTECTED] wrote: Hi Christian, As you are probably aware, version 0.99.6 came out a few days back which I am sure has several fixes, including those for the diameter dissector. Have you tried using the latest version? Hope this helps, Abhik. On 7/10/07, cco [EMAIL PROTECTED] wrote: hi! has anyone tested a filter like this: (diameter.avp.code == 829) (diameter.avp.data.uint32 == 1) is it suppossed to work? is it actually working in your config/ver? in my version, it does not in the sense that it will always show all the diameter commands having an avp with the code 829 but _not_ the ones in which this avp has the value 1. I am using Version 0.99.4 / linux thanks! bye now! cristian ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] filters diameter
A year or more ago I abandoned a way towards (3) (similar to what I did for radius dictionary) a while ago, due to a personal lack of diameter use after switching jobs and a stall about how to handle recursion in attribute_groups. I will be able to get back into it in September (I'll be off-contract and unable to move from Rome). Please remind me then or as an alternative I could send the work-in-progress for someone else to deal with it. BTW In an early MATE prototype (befor having it defining fields for every user defined element) I used string fields like mate.pdu_avp == avp_name=string_repr_of_value, those allow to actually filter. I thought about this quick and dirty solution for radius before writing its dictionary support. On 7/10/07, Martin Mathieson [EMAIL PROTECTED] wrote: OK, I just implemented (2) with change 22284. You should be able to right-click on a whole AVP that matches the code you're interested in, choose 'Prepare as Filter | Selected', edit the last 4 bytes and apply it. Martin On 7/10/07, Martin Mathieson [EMAIL PROTECTED] wrote: There are several ways this could be tackled: (1) A script. Export capture to PDML, parse output and match/check them yourself (2) We could add a new filterable field, diameter.avp, whose type was hex data. You could right-click to create a filter for that AVP, then edit the last word to check for the value you want (you could sort of do this now, but it would only filter at a fixed position within the message) (3) The diameter dissector could be changed to generate filterable fields for each AVP. Then you could filter on e.g. diameter.avp.Role-of-Node.value == 1 I could do (2), but I'm not volunteering for (3). Martin On 7/10/07, Abhik Sarkar [EMAIL PROTECTED] wrote: Hi Christian, As you are probably aware, version 0.99.6 came out a few days back which I am sure has several fixes, including those for the diameter dissector. Have you tried using the latest version? Hope this helps, Abhik. On 7/10/07, cco [EMAIL PROTECTED] wrote: hi! has anyone tested a filter like this: (diameter.avp.code == 829) (diameter.avp.data.uint32 == 1) is it suppossed to work? is it actually working in your config/ver? in my version, it does not in the sense that it will always show all the diameter commands having an avp with the code 829 but _not_ the ones in which this avp has the value 1. I am using Version 0.99.4 / linux thanks! bye now! cristian ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev -- This information is top security. When you have read it, destroy yourself. -- Marshall McLuhan ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev