Wireshark-users: [Wireshark-users] Mate plugin for 1.0.4 - Dissector bug

From: "Studtmann, Joel [NTK]" <Joel.Studtmann@xxxxxxxxxx>
Date: Thu, 23 Oct 2008 12:59:23 -0500
Wireshark users:
 
I could use some assistance / feedback with using the MATE plugin.
 
For the short version, I’m getting the following error when I attempt to use a Gog in the configuration file:
 
[Dissector bug, protocol MATE: proto.c:2085: failed assertion "(guint)hfindex < gpa_hfinfo.len"]
 
A google for similar error hinted to a problem in the dissector itself when an array is out of bounds, but C++ is not my forte.  The configuration file is extremely simple, and I get the dissector error only with the Gog stanza in place:
 
 
Pdu rp_pdu Proto a11 Transport ip {
        Extract addr From ip.addr;
        Extract type From a11.type;
        Extract life From a11.life;
        Extract msid From a11.ext.msid;
        Extract grekey From a11.ext.key;
        Extract pdsn From a11.haaddr;
        Extract ident From a11.ident;
};
 
Gop rp_signal On rp_pdu Match (addr, addr, msid, ident) {
        Start (type = 1);
        Stop (type = 3);
};
 
Gog call {
        Member rp_signal (msid);
        Expiration 1800;
 
};
 
Done;
 
 
 
For the longer version:
 
I’m new to MATE, although I’ve used Wireshark/Ethereal/Network general regularly for about 8 years.  FWIW, we use wireshark only for analysis; the captures are provided by the Netscout/Network general products.  I’m not a programmer by trade, but a coworker and I were investigating using Python to integrate with Wireshark for doing custom decodes, when my coworker tripped over the MATE plugin.
 
My first impression was that this was awesome: the greatest thing since Cacti (which is the greatest thing since Wireshark).  My goals are similar to that of the original purpose:  track the signalling of a data call as it traverses different points of the networks, and correlate the hand-offs, technology shifts, active/dormant transitions, et cetra.
 
I admit my enthusiasm has waned a bit over the past few days;  with the configuration guide in a state of flux between the ‘old’ way and the ‘new’ way, and some of the examples don’t work due to nuances (I’e, the ‘Expiration’ of Gog can’t be the first line of the Gog, or you get a syntax error).  I’ve been stumbling through the configuration files anyway, but between the dissector error on 1.0.4, crashes of 1.0.3, and 1.0.3 refusing on opening some files, but not others… I’m not confident that MATE gets enough use/attention to be stable.  A search of the mailing list has 1-2 posts a year, and that’s it.
 
Here’s what I’ve run through in the past few days:
  1. As I needed to re-install Wireshark to enable MATE anyway, I downloaded 1.0.4, and noted the release notes that MATE crashes were fixed in 1.0.4.
  2. Worked through the examples / config syntax, built some PDUs, fixed the grammar errors (dang capitalization of From, semicolons, et cetra), and was excited to see it work
  3. Attempted to configure a Gog, and watched the Dissector error above scroll through the screen.  Assumed it was a configuration error, so tweaked the syntax… removed attributes.. changed keys…  loosened restrictions on Gops…all to no avail.  Wireshark always gave a dissector error with Gog stanza was enabled.
  4. After a good night’s sleep, remembered that 1.0.4 had changes to fix some bugs in 1.0.3.. so installed that instead.  1.0.3 kinda worked… sometimes.  Some files wouldn’t open, while copies of those files (or filtered versions of the original files, would.. or wouldn’t)  Rebooted.  Some worked, some didn’t.  Some files wouldn’t open with double-click, but would if wireshark was opened first.
  5. When it did open, I didn’t get a dissector error, but individual legs of the Gop weren’t included into Gog;  figured out default timer of 2 seconds was creating new Gog, so figured out how to do that.  (BTW:  the Expiration can’t be the first part of the Gog, but works as last line.)
  6. 1.0.3 continued to crash more often than not, so I downloaded latest Visual C++ runtime, and tried 1.0.4 again.  Crashes stopped, but I get a dissector error on every PDU again when it attempts to do a Gog.
 
Right now, I’m out of ideas…  changing things in the configuration and hoping for the best isn’t the best troubleshooting methodology, and it’s just frustrating me anyway.  I did wonder if the dissector trigger is the length of the key:  the MSID is a 15 digit number, and I need to strip off the first 5 anyway for later correlation, so as soon as I figure out how to do a regex in transform, I’ll see if that makes a difference
 
Thoughts?
 
Thanks in advance,
 
Joel
 
Joel Studtmann, JNCIP-M CCIP CCNP CCDP JNCIA-FW
NTAC - CDNO