MATE is a twisted (yet powerful) machine, unfortunatelly it's
mechanics aren't simple.
MATE's purpose is to mate frames using the information they share.
MATE's manual even if not up-to-date is a must if you want to
understand it.
The example you can develop from is the radius one:
Pdu radius_pdu On radius Transport udp/ip {
Extract addr From ip.addr;
Extract port From udp.port;
Extract id From radius.id;
Extract code From radius.code;
Extact user From radius.UserName
}
Gop radius_req On radius_pdu (id, addr, addr, port, port) {
Start (code {1|4|7} );
Stop (code {2|3|5|8|9} );
Extra (user);
}
Using this example config the Pdu will add some more fields to the
frame (mate.radius_pdu.addr, mate.radius_pdu.port, mate.radius_pdu.id,
mate.radius_pdu.code ) that are just string versions of the original
ones.
The interesting part is the Gop (Group of Pdus) this will mate pdus
that where id, addr, addr, port, port (the key) match. A Pdu with code
being either 1, 4 or 7 will start a new group and a code of 2...9 will
stop the group and make the key available for new groups to be
created.
That means that if I want to filter al packets of the transaction
where the user was "pippo" I will be able to use:
mate.radius_req.user == "pippo"
because all the frames that belong to the Gop will have a tree with
all the Gop's Key and Extra fields.
While very useful in some occasions I found Mate to be cumbersome,
unversatile and hard to describe, still applicable to many scenarios.
Beware that mate uses a *lot* of memory, so if you have to
extrapolaate from huge files you'll need a system with a very huge
RAM.
Luis
On 3/3/06, Guenther Lackner <guenther.lackner@xxxxxxxxxxxxxx> wrote:
> Hi!
>
> Thanx for that tip!
> But has anybody a flink of an idea how MATE works? ;-)
>
> regards
> lacky
>
> Sake Blok wrote:
> > On Fri, Mar 03, 2006 at 10:42:32AM +0000, David Meagher wrote:
> >
> >>as far as i understand - MATE - can be used to do this - just don't ask me
> >>how!
> >>http://wiki.ethereal.com/Mate/
> >>
> >>On 03/03/06, Guenther Lackner <guenther.lackner@xxxxxxxxxxxxxx> wrote:
> >>
> >>>thanks for your fast reply!
> >>>
> >>>Do you know if there is another Software tht could do this job for me?
> >
> >
> > There is also work being done to include lua in ethereal. This will
> > make scripting possible and would provide in your needs I think, but
> > no mileage for me in that area either...
> >
> > Personally I do some scripting around the output of tethereal for
> > these puzzles. And I recently discoverd the PDML output format,
> > which makes reading the output from a script rather easy. This
> > basically gives you full control over following streams and the
> > relation with other streams. But of course, this means needing
> > the skills to do some scripting.
> >
> >
> > Cheers, Sake
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-users
>
> --
> -------------------------------------------------------------
> Günther Lackner
> <Guenther.Lackner@xxxxxxxxxxxxxx>
> Institute for Applied Information Processing and Communications,
> Graz University of Technology,
> Inffeldg. 16a, 8010 Graz, Austria
> tel: +43 316 873-5501
> fax: +43 316 873-5520
> http://www.iaik.at/
>
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
>
>
>
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan