LEGO wrote:
On 11/11/05, Jeff Morriss <jeff.morriss@xxxxxxxxxxx> wrote:
I've got a huge capture file with lots of SCTP retransmissions. I'd
like to have an easy way to find them and (since we don't have SCTP
analysis similar to the TCP analysis yet) I started playing around with
MATE.
From reading the docs I thought I could create a Gop of SCTP PDUs whose
only matching criteria was the Vtag and TSN, something like:
Pdu sctp_pdu Proto sctp Transport ip {
//Extract addr From ip.addr;
//Extract port From sctp.port;
Extract vtag From sctp.verification_tag;
Extract tsn From sctp.data_tsn;
Extract sctp_chunk From sctp.chunk_type;
};
Gop sctpretrans On sctp_pdu Match (vtag, tsn) {
Stop(sctp_chunk=6);
};
Done;
(I've already filtered the file down so there's only my association in
there.)
MATE picks up the sctp_pdu's but not the Gops. Any ideas why? Any
ideas for a better way to do it? (I want to find the retransmissions
and check the time between the transmissions.)
My fault, what you did should do the job. Gops with a missing Start
Condition appear not to be working... I'll take a look at it.
Schwoo--glad I'm not crazy! BTW, I am using 0.10.13 (sorry, didn't
mention that before).
(I also tried not having any Start or Stop conditions to the Gop but the
parser didn't like that thus the basically useless--for what I'm trying
to do--Stop condition. Really, my Start condition is that the PDU
matched and my Stop condition is the end of the capture file.)
The grammar is missing the possibility of an empty Gop Statement...
I'll add that.
Cool. The Wiki didn't explicitly say it was allowed but it sorta
implied it (since you can not have a Start and not have a Stop), so I
tried. :-)
So, going back to your problem. You basically want to start a Gop
whenever a new VTAG-TSN pair appears and never stop it.
Pdu sctp_pdu Proto sctp Transport ip {
Extract vtag From sctp.verification_tag;
Extract tsn From sctp.data_tsn;
Extract sctp_chunk From sctp.chunk_type;
};
Gop sctpretrans On sctp_pdu Match (vtag, tsn) {
Start ();
// the empty avpl will allways match (yielding an empty avpl)
// BTW it is exactly what a Gop with no Start condition should be
doing internally.
Stop (never);
// there's no way a "never" avp will be found in a Pdu.
};
Ahhh, I hadn't thought of a null list--that works perfectly, thank you!