Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MATE not extracting fields as requested

From: Jaap Keuter <jaap.keuter () xs4all nl>
Date: Fri, 23 Oct 2020 13:12:51 +0200
Hi,

Quick test shows that this is indeed the interaction between setting lengths after prototree item creation and post 
dissectors. In fact _all_ proto item modification functions need to be reviewed in this light.

Thanks,
Jaap



On 23 Oct 2020, at 12:33, Jaap Keuter <jaap.keuter () xs4all nl> wrote:

Hi,

Okay this is indeed weird. The MATE engine picks up the protocol but determines that the protocol fields are in a 
zero length part of the packet. It sees the fields, but these all fall outside of the zero length part of the packet 
(obviously). There is something specific about how the MGCP part of the packet dissection is set and that is that the 
protocol is added zero length to the protocol tree, and afterwards adjusted once its true length is found out. I 
can’t see why that makes a difference to MATE (being a post dissector, so running once all protocol dissection is 
done, so the MGCP protocol length is properly set), but we’ll have to see if this is somehow..

(Note to self: having the field length set _after_ adding field to tree, using proto_item_set_len() is subject to 
TRY_TO_FAKE_THIS_REPR_VOID. If that blocks length setting (because at first run tree=NULL) then all post dissectors, 
using this length are screwed).

Thanks,
Jaap


On 17 Oct 2020, at 17:22, Harald Welte <laforge () gnumonks org> wrote:

Dear wireshark developers,

the other problem I have with MATE is that for some protocols/dissectors
I don't seem to be able to extract wireshark fields into MATE attributes.

Like in the last e-mail, I'm again working with the following MATE config
https://git.osmocom.org/wireshark-mate/tree/osmocom.mate

This time, I'm looking at MGCP traces.  The MATE config states:

---
Pdu mgcp_pdu Proto mgcp Transport udp/ip {
Extract ip_addr From ip.addr;
Extract port From udp.port;

Extract mgcp_rsp_code From mgcp.rsp.rspcode;
Extract mgcp_verb From mgcp.req.verb;
Extract mgcp_endpoint From mgcp.req.endpoint;
Extract mgcp_conn_id From mgcp.param.connectionid;
Extract mgcp_spec_endp_id From mgcp.param.specificendpointid;
};
---

For some strnge reason, none of the mgcp.* fields are ever passed into MATE
attributes.

Attached is again a pcap file for your reference.  In none of those
packets, MATE extracts the named fields as attributes.  I've checked the
field names several times, and they are correct.  Why are they not added
to 'mgcp_pdu Attributes'?

Like the previous topic, I'm not reporting this as a bug as of yet, as
I'm not sure it is a bug or I'm stimply not able to use MATE as
expected.

Thanks in advance.

Regards,
     Harald

-- 
- Harald Welte <laforge () gnumonks org>           http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                (ETSI EN 300 175-7 Ch. A6)

Attachment: mgcp.pcap
Description: 


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
           mailto:wireshark-dev-request () wireshark org?subject=unsubscribe





___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: