The following configuration AVPLs deal with PDU creation and data extraction.
In each frame of the capture, MATE will look for source proto_name's PDUs in the order in which the declarations appear in its configuration and will create PDUs of every type it can from that frame, unless specifically instructed that some PDU type is the last one to be looked for in the frame. If told so for a given type, MATE will extract all PDUs of that type and the previously declared types it finds in the frame but not those declared later.
The complete declaration of a Pdu looks as below; the mandatory order of the diverse clauses is as shown.
Pdu name Proto proto_name Transport {proto1[/proto2/proto3[/...]|mate}; { Payload proto; //optional, no default value Extract attribute From proto.field ; //may occur multiple times, at least once Transform transform1[, transform2[, ...]]; //optional Criteria {Accept|Reject} {Strict|Every|Loose} match_avpl; //optional DropUnassigned {TRUE|FALSE}; //optional, default=FALSE DiscardPduData {TRUE|FALSE}; //optional, default=FALSE LastPdu {TRUE|FALSE}; //optional, default=FALSE };
The name is a mandatory attribute of a Pdu declaration. It is chosen arbitrarily, except that each name may only be used once in MATE’s configuration, regardless the class of an item it is used for. The name is used to distinguish between different types of PDUs, GOPs, and GOGs. The name is also used as part of the filterable fields' names related to this type of PDU which MATE creates.
However, several Pdu declarations may share the same name. In such case, all of them are created from each source PDU matching their Proto, Transport, and Payload clauses, while the bodies of their declarations may be totally different from each other. Together with the Accept (or Reject) clauses, this feature is useful when it is necessary to build the PDU’s AVPL from different sets of source fields depending on contents (or mere presence) of other source fields.
Every instance of the protocol proto_name PDU in a frame will generate one PDU with the AVPs extracted from fields that are in the proto_name's range and/or the ranges of underlying protocols specified by the Transport list. It is a mandatory attribute of a Pdu declaration. The proto_name is the name of the protocol as used in Wireshark display filter.
The PDU’s Proto, and its Transport list of protocols separated by / tell MATE which fields of a frame can get into the PDU’s AVPL. In order that MATE would extract an attribute from a frame’s protocol tree, the area representing the field in the hex display of the frame must be within the area of either the Proto or its relative Transports. Transports are chosen moving backwards from the protocol area, in the order they are given.
Proto http Transport tcp/ip does what you’d expect it to - it selects the nearest tcp range that precedes the current http range, and the nearest ip range that precedes that tcp range. If there is another ip range before the nearest one (e.g., in case of IP tunneling), that one is not going to be selected. Transport tcp/ip/ip that "logically" should select the encapsulating IP header too doesn’t work so far.
Once we’ve selected the Proto and Transport ranges, MATE will fetch those protocol fields belonging to them whose extraction is declared using the Extract clauses for the PDU type. The Transport list is also mandatory, if you actually don’t want to use any transport protocol, use Transport mate. (This didn’t work until 0.10.9).
Other than the PDU’s Proto and its Transport protocols, there is also a Payload attribute to tell MATE from which ranges of Proto's payload to extract fields of a frame into the PDU. In order to extract an attribute from a frame’s tree the highlighted area of the field in the hex display must be within the area of the Proto's relative payload(s). Payloads are chosen moving forward from the protocol area, in the order they are given. Proto http Transport tcp/ip Payload mmse will select the first mmse range after the current http range. Once we’ve selected the Payload ranges, MATE will fetch those protocol fields belonging to them whose extraction is declared using the Extract clauses for the PDU type.
Each Extract clause tells MATE which protocol field value to extract as an AVP value and what string to use as the AVP name. The protocol fields are referred to using the names used in Wireshark display filters. If there is more than one such protocol field in the frame, each instance that fulfills the criteria stated above is extracted into its own AVP. The AVP names may be chosen arbitrarily, but to be able to match values originally coming from different PDUs (e.g., hostname from DNS query and a hostname from HTTP GET request) later in the analysis, identical AVP names must be assigned to them and the dissectors must provide the field values in identical format (which is not always the case).
The Transform clause specifies a list of previously declared Transforms to be performed on the PDU’s AVPL after all protocol fields have been extracted to it. The list is always executed completely, left to right. On the contrary, the list of Match clauses inside each individual Transform is executed only until the first match succeeds.
This clause tells MATE whether to use the PDU for analysis. It specifies a match AVPL, an AVPL Match type (Strict, Every, or Loose) and the action to be performed (Accept or Reject) if the match succeeds. Once every attribute has been extracted and eventual transform list has been executed, and if the Criteria clause is present, the PDU’s AVPL is matched against the match AVPL; if the match succeeds, the action specified is executed, i.e., the PDU is accepted or rejected. The default behaviors used if the respective keywords are omitted are Strict and Accept. Accordingly, if the clause is omitted, all PDUs are accepted.
If set to TRUE, MATE will destroy the PDU if it cannot assign it to a GOP. If set to FALSE (the default if not given), MATE will keep them.
If set to TRUE, MATE will delete the PDU’s AVPL once it has analyzed it and eventually extracted some AVPs from it into the GOP’s AVPL. This is useful to save memory (of which MATE uses a lot). If set to FALSE (the default if not given), MATE will keep the PDU attributes.
Declares a Gop type and its candidate key.
Gop name On pduname Match key { Start match_avpl; // optional Stop match_avpl; // optional Extra match_avpl; // optional Transform transform_list; // optional Expiration time; // optional IdleTimeout time; // optional Lifetime time; // optional DropUnassigned [TRUE|FALSE]; //optional ShowTree [NoTree|PduTree|FrameTree|BasicTree]; //optional ShowTimes [TRUE|FALSE]; //optional, default TRUE };
The name is a mandatory attribute of a Gop declaration. It is chosen arbitrarily, except that each name may only be used once in MATE’s configuration, regardless the class of an item it is used for. The name is used to distinguish between different types of PDUs, GOPs, and GOGs. The name is also used as part of the filterable fields' names related to this type of GOP which MATE creates.
The name of PDUs which this type of GOP is supposed to be grouping. It is mandatory.
Defines what AVPs form up the key part of the GOP’s AVPL (the GOP’s key AVPL or simply the GOP’s key). All PDUs matching the key AVPL of an active GOP are assigned to that GOP; a PDU which contains the AVPs whose attribute names are listed in the GOP’s key AVPL, but they do not strictly match any active GOP’s key AVPL, will create a new GOP (unless a Start clause is given). When a GOP is created, the elements of its key AVPL are copied from the creating PDU.
If given, it tells MATE what match_avpl must a PDU’s AVPL match, in addition to matching the GOP’s key, in order to start a GOP. If not given, any PDU whose AVPL matches the GOP’s key AVPL will act as a start for a GOP. The PDU’s AVPs matching the match_avpl are not automatically copied into the GOP’s AVPL.
If given, it tells MATE what match_avpl must a PDU’s AVPL match, in addition to matching the GOP’s key, in order to stop a GOP. If omitted, the GOP is "auto-stopped" - that is, the GOP is marked as stopped as soon as it is created. The PDU’s AVPs matching the match_avpl are not automatically copied into the GOP’s AVPL.
If given, tells MATE which AVPs from the PDU’s AVPL are to be copied into the GOP’s AVPL in addition to the GOP’s key.
The Transform clause specifies a list of previously declared Transforms to be performed on the GOP’s AVPL after the AVPs from each new PDU, specified by the key AVPL and the Extra clause’s match_avpl, have been merged into it. The list is always executed completely, left to right. On the contrary, the list of Match clauses inside each individual Transform is executed only until the first match succeeds.
A (floating) number of seconds after a GOP is Stop ped during which further PDUs matching the Stop ped GOP’s key but not the Start condition will still be assigned to that GOP. The default value of zero has an actual meaning of infinity, as it disables this timer, so all PDUs matching the Stop ped GOP’s key will be assigned to that GOP unless they match the Start condition.
A (floating) number of seconds elapsed from the last PDU assigned to the GOP after which the GOP will be considered released. The default value of zero has an actual meaning of infinity, as it disables this timer, so the GOP won’t be released even if no PDUs arrive - unless the Lifetime timer expires.
A (floating) of seconds after the GOP Start after which the GOP will be considered released regardless anything else. The default value of zero has an actual meaning of infinity.
Whether or not a GOP that has not being assigned to any GOG should be discarded. If TRUE, the GOP is discarded right after creation. If FALSE, the default, the unassigned GOP is kept. Setting it to TRUE helps save memory and speed up filtering.
Controls the display of PDUs subtree of the GOP:
Declares a Gog type and its candidate key.
Gog name { Member gopname (key); // mandatory, at least one Extra match_avpl; // optional Transform transform_list; // optional Expiration time; // optional, default 2.0 GopTree [NoTree|PduTree|FrameTree|BasicTree]; // optional ShowTimes [TRUE|FALSE]; // optional, default TRUE };
The name is a mandatory attribute of a Gog declaration. It is chosen arbitrarily, except that each name may only be used once in MATE’s configuration, regardless the class of an item it is used for. The name is used to distinguish between different types of PDUs, GOPs, and GOGs. The name is also used as part of the filterable fields' names related to this type of GOG which MATE creates.
Defines the key AVPL for the GOG individually for each GOP type gopname. All gopname type GOPs whose key AVPL matches the corresponding key AVPL of an active GOG are assigned to that GOG; a GOP which contains the AVPs whose attribute names are listed in the GOG’s corresponding key AVPL, but they do not strictly match any active GOG’s key AVPL, will create a new GOG. When a GOG is created, the elements of its key AVPL are copied from the creating GOP.
Although the key AVPLs are specified separately for each of the Member gopnames, in most cases they are identical, as the very purpose of a GOG is to group together GOPs made of PDUs of different types.
If given, tells MATE which AVPs from any of the GOP’s AVPL are to be copied into the GOG’s AVPL in addition to the GOG’s key.
A (floating) number of seconds after all the GOPs assigned to a GOG have been released during which new GOPs matching any of the session keys should still be assigned to the existing GOG instead of creating a new one. Its value can range from 0.0 to infinite. Defaults to 2.0 seconds.
The Transform clause specifies a list of previously declared Transforms to be performed on the GOG’s AVPL after the AVPs from each new GOP, specified by the key AVPL and the Extra clause’s match_avpl, have been merged into it. The list is always executed completely, left to right. On the contrary, the list of Match clauses inside each individual Transform is executed only until the first match succeeds.
Controls the display of GOPs subtree of the GOG:
A Transform is a sequence of Match rules optionally followed by an instruction how to modify the match result using an additional AVPL. Such modification may be an Insert (merge) or a Replace. The syntax is as follows:
Transform name { Match [Strict|Every|Loose] match_avpl [[Insert|Replace] modify_avpl] ; // may occur multiple times, at least once };
For examples of Transforms, check the Manual page.
TODO: migrate the examples here?
The list of Match rules inside a Transform is processed top to bottom; the processing ends as soon as either a Match rule succeeds or all have been tried in vain.
Transforms can be used as helpers to manipulate an item’s AVPL before the item is processed further. An item declaration may contain a Transform clause indicating a list of previously declared Transforms. Regardless whether the individual transforms succeed or fail, the list is always executed completely and in the order given, i.e., left to right.
In MATE configuration file, a Transform must be declared before declaring any item which uses it.
Note | |
---|---|
The Settings parameters have been moved to other configuration parameters or deprecated. Leave for now until rest of document is updated for current syntax. |
The Settings config element is used to pass to MATE various operational parameters. the possible parameters are
How long in seconds after all the GOPs assigned to a GOG have been released new GOPs matching any of the session keys should create a new GOG instead of being assigned to the previous one. Its value can range from 0.0 to infinite. Defaults to 2.0 seconds.
Whether or not the AVPL of every PDU should be deleted after it was being processed (saves memory). It can be either TRUE or FALSE. Defaults to TRUE. Setting it to FALSE can save you from a headache if your config does not work.
Whether PDUs should be deleted if they are not assigned to any GOP. It can be either TRUE or FALSE. Defaults to FALSE. Set it to TRUE to save memory if unassigned PDUs are useless.
Whether GOPs should be deleted if they are not assigned to any session. It can be either TRUE or FALSE. Defaults to FALSE. Setting it to TRUE saves memory.
The following settings are used to debug MATE and its configuration. All levels are integers ranging from 0 (print only errors) to 9 (flood me with junk), defaulting to 0.
Debug { Filename "path/name"; //optional, no default value Level [0-9]; //optional, generic debug level Pdu Level [0-9]; //optional, specific debug level for Pdu handling Gop Level [0-9]; //optional, specific debug level for Gop handling Gog Level [0-9]; //optional, specific debug level for Gog handling };
The {{{path/name}}} is a full path to the file to which debug output is to be written. Non-existent file will be created, existing file will be overwritten at each opening of a capture file. If the statement is missing, debug messages are written to console, which means they are invisible on Windows.
Sets the level of debugging for generic debug messages. It is an integer ranging from 0 (print only errors) to 9 (flood me with junk).
Sets the level of debugging for messages regarding PDU creation. It is an integer ranging from 0 (print only errors) to 9 (flood me with junk).
Sets the level of debugging for messages regarding PDU analysis (that is how do they fit into ?GOPs). It is an integer ranging from 0 (print only errors) to 9 (flood me with junk).
Will include a file to the configuration.
Action=Include; {Filename=filename;|Lib=libname;}
The filename of the file to include. If it does not begin with '/' it will look for the file in the current path.
The name of the lib config to include. will look for libname.mate in wiresharks_dir/matelib.