Wireshark-dev: Re: [Wireshark-dev] MATE question

From: "Luis EG Ontanon" <luis.ontanon@xxxxxxxxx>
Date: Fri, 16 Nov 2007 15:32:25 +0100
MATE registers a do-nothing tap just to have the configured fields to
be extracted being marked as interesting, other than that there's no
reason for the tap to exist. mate_tree() is not invoked by the tap but
it is being called by dissect_frame() after all other dissector had
run.


What's happening in your case has nothing to do with tapping the
problem here is that the column is being frozen by HTTP by calling
col_set_writable(pinfo->cinfo, FALSE) . And since MATE (that operates
as a dissector) runs after every other dissector has being called, it
is not able to write to that column.

Luis

On Nov 15, 2007 8:14 PM, Todd Carrozzi <carrozzi@xxxxxxxxx> wrote:
>     I am a bit stymied as to how the MATE plugin works, and thus why I
> can almost but not quite make it do what I want. What I am trying to
> do(at a minimum) is add the ability to sort by TCP session in the
> packet list view.  While trying to figure out how to do that, I was
> fiddling with mate, and it occurred to  me that adding a column to
> display the MATE GOP number could work, and then be reconfigurable by
> MATE scripts.  So I managed to add such a column, and by adding the
> following code(currently in mate_tree in packet-mate.c, but I had it
> working about as well someplace else as well):
>                 if ( pdus && pdus->gop && check_col(pinfo->cinfo, COL_MATE_GOP)) {
>                     col_add_fstr(pinfo->cinfo, COL_MATE_GOP, "%8d:%s",
> (pdus->gop->id),(pdus->gop->cfg->name));
>                 }
> I can configure mate with the example tcp.mate script, and load a file
> with a bunch of web traffic, and all the TCP packets have the column
> filled in , and ARP, ICMP, etc do not, exactly as expected.  However,
> the packets classified as HTTP, while having the correct MATE
> information listed in the protocol tree, has a blank value for my new
> column, and thus doesn't sort in with the rest of the session it
> belongs to.  If I turn off HTTP dissection, it all works.  I know the
> Info column is cleared and filled in by later dissectors, but clearly
> nothing knows about my new column but me, so it isn't being manually
> cleared.
>    I then dug into where the handoff occurs, and then noticed that
> MATE registers itself as a frame tap, although the packet callback is
> an empty routine.  So now I am confused as to a) how MATE actually
> gets handed packets, and b) why my column ever works if I am calling
> it from a tap.  Anyway, if anyone has any suggestions, and or an
> explanation as to how packets flow through MATE, I'd greatly
> appreciate it.
>
>                                                   Thanks,
>
>                                                     Todd Carrozzi
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>



-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan