Wireshark-dev: [Wireshark-dev] MATE Stop for multi-occurrence field

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: chuck c <bubbasnmp@xxxxxxxxx>
Date: Fri, 1 Apr 2022 12:00:11 -0500
MATE seems like it would be a good solution for:
https://ask.wireshark.org/question/26618/filter-tls-with-no-server-hello/

And it works great for frames that only contain one tls_handshake.

For frames with multiple occurrences of a field, should it be able to set a Stop condition if one of the values matches?

thanks
chuck

---------------------------------------------------------------------------
MATE tls_pdu:1877->tls_ses:3
    tls_pdu: 1877
        tls_pdu time: 2.83325e+08
        tls_pdu time since beginning of Gop: 0
        tls_pdu Attributes
            stream: 93
            tls_handshake: 11
            tls_handshake: 12
            tls_handshake: 14
            tls_handshake: 2
    tls_ses: 3
---------------------------------------------------------------------------
Pdu tls_pdu Proto tcp Transport ip {
    Extract addr From ip.addr;
    Extract stream From tcp.stream;
    Extract tls_handshake From tls.handshake.type;
};

Gop tls_ses On tls_pdu Match (stream) {
    Start (tls_handshake=1);
    Stop (tls_handshake=2);
};

Done