first MATE script for playing with wireshark MATE analysis
This commit is contained in:
commit
989861a078
|
|
@ -0,0 +1,83 @@
|
|||
/***********************************************************************
|
||||
* MGCP
|
||||
***********************************************************************/
|
||||
|
||||
/* MGCP is rather complex to match. Why?
|
||||
- the verb is only present in the request, bu not the response. So by looking
|
||||
at the resposne you don't know whether it's a CRCX response or a MDCX one.
|
||||
- a request can specify wildcard endpoint, with the chosen endpoint only showing
|
||||
up in the response
|
||||
- one would actually want to treat all messages for one Connection as Gop
|
||||
- probably treat all Connections on same EP as Gog?
|
||||
*/
|
||||
|
||||
Pdu mgcp_pdu Proto mgcp Transport udp/ip {
|
||||
Extract ip_addr From ip.addr;
|
||||
Extract port From udp.port;
|
||||
|
||||
/* For some unknown reason the below fields are not actually extracted
|
||||
* by wireshark - why is that ?!? */
|
||||
Extract mgcp_rsp_code From mgcp.rsp.rspcode;
|
||||
Extract mgcp_verb From mgcp.req.verb;
|
||||
Extract mgcp_endpoint From mgcp.req.endpoint;
|
||||
Extract mgcp_conn_id From mgcp.param.connectionid;
|
||||
Extract mgcp_spec_endp_id From mgcp.param.specificendpointid;
|
||||
};
|
||||
|
||||
Gop mgcp_conn On mgcp_pdu Match (ip_addr, ip_addr, port, port, mgcp_conn_id) {
|
||||
Start (mgcp_rsp_code = 200, mgcp_spec_endp_id);
|
||||
Stop (mgcp_verb = "DLCX");
|
||||
};
|
||||
|
||||
|
||||
/***********************************************************************
|
||||
* A-bis RSL
|
||||
***********************************************************************/
|
||||
|
||||
/* For RSL, we want to mark all messages related to one logical channel,
|
||||
from RSL CHAN ACT all the way to RF CHAN REL */
|
||||
|
||||
Pdu rsl_pdu Proto gsm_abis_rsl Transport gsm_ipa/tcp/ip {
|
||||
Extract ip_addr From ip.addr;
|
||||
Extract port From tcp.port;
|
||||
Extract rsl_cbits From gsm_abis_rsl.ch_no_Cbits;
|
||||
Extract rsl_tn From gsm_abis_rsl.ch_no_TN;
|
||||
Extract rsl_msg_dsc From gsm_abis_rsl.msg_dsc;
|
||||
Extract rsl_msg_type From gsm_abis_rsl.msg_type;
|
||||
Criteria Accept Strict (rsl_msg_dsc {4|1|63}); // DCHAN || RLL || IPA
|
||||
};
|
||||
|
||||
Gop rsl_lchan On rsl_pdu Match (ip_addr, ip_addr, port, port, rsl_cbits, rsl_tn) {
|
||||
Start (rsl_msg_type = 33); // CHAN_ACT
|
||||
Stop (rsl_msg_type {36|51}); // CHAN_ACT_NACK || RF_CHAN_REL_ACK
|
||||
};
|
||||
|
||||
|
||||
|
||||
/***********************************************************************
|
||||
* SCCP
|
||||
***********************************************************************/
|
||||
|
||||
/* We don't really have to track SCCP connections; the SCCP dissector does that (assoc.id),
|
||||
but that is somehow broken (20200314)? */
|
||||
Pdu sccp_pdu Proto sccp Transport m3ua/ip {
|
||||
Extract pc From m3ua.protocol_data_opc;
|
||||
Extract pc From m3ua.protocol_data_dpc;
|
||||
//Extract sccp_assoc_id From sccp.assoc.id;
|
||||
Extract sccp_lr From sccp.lr;
|
||||
Extract sccp_msg_type From sccp.message_type;
|
||||
};
|
||||
|
||||
//Gop sccp_conn On sccp_pdu Match (pc, pc, sccp_assoc_id) {
|
||||
Gop sccp_conn On sccp_pdu Match (pc, pc, sccp_lr) {
|
||||
Start (sccp_msg_type = "0x00000001"); // CR
|
||||
Stop (sccp_msg_type {"0x00000005"}); // RLC
|
||||
};
|
||||
|
||||
|
||||
/***********************************************************************
|
||||
* BSSAP
|
||||
***********************************************************************/
|
||||
|
||||
|
||||
Done;
|
||||
Loading…
Reference in New Issue