Hi,
> If I understand it correct, this will be some kind of user configurable
> high level dissection?
Yes, It does fetch data from other dissectors to create relationships
between different frames, on which one can then filter on. What to
fetch and how to relate the frames comes from the configuration.
> I tried to understand your documentation at
> http://wiki.ethereal.com/Thing, but didn't really got the point.
I've never been good at writing user's documentation. I often take
for granted things that aren't. And most of all I'm not good at
"predicting" which doubts users will have.
> What is the thing (now mate) really doing?
A brief (but incomplete) description of what it does id:
At the first run it taps on "frame" to import PDUs and relate them.
First it decides whether or not there's a PDU, then checks if the PDU
matches some key criteria and checks if there are other PDUs that
already match that criteria the same way if there are it will add that
pdu to the existing group (that group is a leg). Then it will do
almost the same thing with the legs it will check whether or not legs
match some key criteria and group them by the way they match.
After that it will create a tree so that users can use attributes of
the relationships to filter with.
> Will it add one/several new protocol fields at runtime, configurable by
> a user configuration file?
No, it realy adds only "mate" as a protocol and it own fields, however
it uses data coming from fields from any protocol to create it's tree,
which as I said contains relationships between frames.
> What is a leg? Is there any "none telephony" term for it?
The term transaction might be used, but with caution. For leg I intend
all the PDUs of one specific protocol that relate to a single "use" of
that one protocol.
Let's do an example using DNS:
# this tells mate what to import into a mate's pdu
Action=PDU; Proto=dns; Transport=ip; addr=ip.addr; dns_id=dns.id;
dns_rsp=dns.flags.response;
# this tells mate that a DNS leg is uniquely identified by both
addresses and the id
Action=LegKey; On=dns; addr; addr; dns_id;
# this tells mate that a dns leg starts when the attribute dns_rsp is 0;
Action=LegStart; On=dns; dns_rsp=0;
# this tells mate that a dns leg stops when the attribute dns_rsp is 1;
Action=LegStop; On=dns; dns_rsp=1;
this will create a DNS "leg" for every request that will contain the
request and the response.
> I really appreciate, that you did some documentation already.
If I did not I would have being the only potential user of this.
> At the first 10 minutes looking at the wiki page, I guess that the
> functionality will be useful. But I would think that documentation is
> important and should be better understandable.
I agree. I'll try to improve it in the very next future.
> We might need to put it in a somewhat more user's point of view,
> answering the following questions first:
>
> What can I achieve/do with it?
To have a very simple filter expression filtering all the PDUs related
to a session.
To navigate through related frames with relative simplicity
> In which cases will it be useful? (Maybe: In which not?)
I've used it already for:
- filtering all frames containing signalling pdus related to a single
calling number (that is test calls).
- filetring frames of transactions with slow response times
> What are the steps needed to be done to use it?
That's going to be in the wiki...
> BTW: Please try to avoid "telephony slang" (e.g. I'm not familiar with
> the term "leg").
I'll try very hard.
> Regards, ULFL
>
> P.S: You might better not answer the questions to my mail, but update
> the wiki page directly :-)
I'll update the wiki in the upcoming days.
my question: is there a way to rename a wiki page?
--
"I can't stand pain, it hurts me!"
-- Daffy Duck
