You should try applying the transformation to the Pdu and copy (using
Extra) the "answered" attribute from pdu to gop, and finally to gog
On 6/20/07, Bernhard Bock <[EMAIL PROTECTED]> wrote:
> All,
>
> I have a question regarding Wiresharks MATE (Meta Analysis and Tracing
> Engine).
>
> First of all, let me try to describe what I want to accomplish:
>
> I do have a LDAP query interface, where lots of similar queries are
> performed. Some queries result in exacly one result, some do yield no
> result at all. Also, this may change during time as the LDAP directory
> content is highly dynamic. All queries are done inside of a few LDAP/TCP
> sessions.
>
> I try to filter in Wireshark for specific LDAP filters, and group them
> together in order to find all traffic related to one LDAP entry. Also, I
> want to filter which LDAP filters yield no result at all, and which are
> always answered positively and which change over time.
>
> Now, let me describe what works for me and what doesn't:
>
> In order to accomplish my task, I group all packets belonging to one
> LDAP query (same ldap.messageID) to one Group of Packets (GOP), and all
> queries with the same filter (ldap.assertionValue) to one Group of
> Groups (GOG). This works fine so far.
>
> Then, I try to transform all GOPs containing an LDAP searchResEntry
> (ldap.protocolOp=4, which means a result entry was found). The
> transformation shall insert an AVP in the GOP for further processing
> (answered=1). This does not work as desired.
> Wireshark always inserts answered=1 into all GOPs, or into none. I tried
> with all matching rules (strict, loose, every), but cannot make this work.
>
> Can anybody give me a hint please?
>
> Please keep me on CC, as I am not subscribed to the list.
>
> best regards
> Bernhard
>
>
> ================================snip====================================
> Transform ans {
> Match Strict (ldap.protocolOp=4) Insert (answered=1);
> };
>
> Pdu ldap_pdu Proto ldap Transport tcp/ip {
> Extract addr From ip.addr;
> Extract port From tcp.port;
> Extract ldap_op From ldap.protocolOp;
> Extract ldap_msgid From ldap.messageID;
> Extract ldap_search From ldap.assertionValue;
Transform ans;
> };
>
> Gop ldap_ses On ldap_pdu Match (ldap_msgid, addr, addr, port, port) {
> Start (ldap_op=3);
> Stop (ldap_op=5);
Extra (ldap_search , ans);
> };
>
> Gog user_all {
> Member ldap_ses ( ldap_search );
Extra (ans);
> };
>
> Done;
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@wireshark.org
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
