diff options
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/epan/mate/examples/call.mate | 34 | ||||
-rw-r--r-- | plugins/epan/mate/examples/mms.mate | 97 | ||||
-rw-r--r-- | plugins/epan/mate/examples/pasv_ftp.mate | 39 | ||||
-rw-r--r-- | plugins/epan/mate/examples/tcp.mate | 17 | ||||
-rw-r--r-- | plugins/epan/mate/examples/web.mate | 79 |
5 files changed, 148 insertions, 118 deletions
diff --git a/plugins/epan/mate/examples/call.mate b/plugins/epan/mate/examples/call.mate deleted file mode 100644 index 0dbbb45ef8..0000000000 --- a/plugins/epan/mate/examples/call.mate +++ /dev/null @@ -1,34 +0,0 @@ -# call.mate - -Action=Settings; DiscardPduData=TRUE; ShowGopTimes=FALSE; ShowPduTree=FALSE; - -Action=PduDef; Name=q931_pdu; Proto=q931; Stop=TRUE; Transport=tcp/ip; addr=ip.addr; call_ref=q931.call_ref; q931_msg=q931.message_type; -Action=PduDef; Name=ras_pdu; Proto=h225.RasMessage; Transport=udp/ip; addr=ip.addr; ras_sn=h225.requestSeqNum; ras_msg=h225.RasMessage; -Action=PduDef; Name=isup_pdu; Proto=isup; Transport=mtp3; m3pc=mtp3.dpc; m3pc=mtp3.opc; cic=isup.cic; isup_msg=isup.message_type; - -Action=PduExtra; For=q931_pdu; guid=h225.guid; calling=q931.calling_party_number.digits; q931_cause=q931.cause_value; -Action=PduExtra; For=isup_pdu; calling=isup.calling; isup_cause=isup.cause_indicator; -Action=PduExtra; For=ras_pdu; guid=h225.guid; - -Action=GopDef; Name=q931_leg; On=q931_pdu; addr; addr; call_ref; -Action=GopStart; For=q931_leg; q931_msg=5; -Action=GopStop; For=q931_leg; q931_msg=90; -Action=GopExtra; For=q931_leg; calling; q931_cause; guid; - -Action=GopDef; Name=isup_leg; On=isup_pdu; ShowPduTree=TRUE; ShowGopTimes=TRUE; m3pc; m3pc; cic; -Action=GopStart; For=isup_leg; isup_msg=1; -Action=GopStop; For=isup_leg; isup_msg=16; -Action=GopExtra; For=isup_leg; calling; isup_cause; - -Action=GopDef; Name=ras_leg; On=ras_pdu; addr; addr; ras_sn; -Action=GopStart; For=ras_leg; ras_msg|0|3|6|9|12|15|18|21|26|30; -Action=GopStop; For=ras_leg; ras_msg|1|2|4|5|7|8|10|11|13|14|16|17|19|20|22|24|27|28|29|31; -Action=GopExtra; For=ras_leg; guid; - -Action=GogDef; Name=call; GogExpiration=0.75; -Action=GogKey; For=call; On=isup_leg; calling; -Action=GogKey; For=call; On=q931_leg; calling; -Action=GogKey; For=call; On=q931_leg; guid; -Action=GogKey; For=call; On=ras_leg; guid; -Action=GogExtra; For=call; isup_cause; -Action=GogExtra; For=call; q931_cause; diff --git a/plugins/epan/mate/examples/mms.mate b/plugins/epan/mate/examples/mms.mate index 7554b11932..43da382777 100644 --- a/plugins/epan/mate/examples/mms.mate +++ b/plugins/epan/mate/examples/mms.mate @@ -1,40 +1,57 @@ -# mms.mate - -# MMSE over HTTP -Action=PduDef; Name=mmse_over_http_pdu; Proto=http; Transport=tcp/ip; Payload=mmse; addr=ip.addr; port=tcp.port; http_rq=http.request; content=http.content_type; -Action=PduExtra; For=mmse_over_http_pdu; resp=http.response.code; method=http.request.method; host=http.host; content=http.content_type; -Action=PduExtra; For=mmse_over_http_pdu; method=http.request.method; host=http.host; -Action=PduExtra; For=mmse_over_http_pdu; trx=mmse.transaction_id; msg_type=mmse.message_type; notify_status=mmse.status; send_status=mmse.response_status; - -Action=Transform; Name=rm_client_from_http_resp1; Mode=Insert; Match=Strict; http_rq; -Action=Transform; Name=rm_client_from_http_resp1; Mode=Insert; Match=Every; addr; .not_rq; - -Action=Transform; Name=rm_client_from_http_resp2; Mode=Replace; Match=Strict; not_rq; ue; - -Action=PduTransform; For=mmse_over_http_pdu; Name=rm_client_from_http_resp1; -Action=PduTransform; For=mmse_over_http_pdu; Name=rm_client_from_http_resp2; - -Action=GopDef; Name=mmse_over_http; On=mmse_over_http_pdu; addr; addr; port; port; -Action=GopStart; For=mmse_over_http; http_rq; -Action=GopStop; For=mmse_over_http; http_rs; - -Action=GopExtra; For=mmse_over_http; host; ue; resp; notify_status; send_status; trx; - -# MMSE over WSP -Action=PduDef; Name=mmse_over_wsp_pdu; Proto=wsp; Payload=mmse; Transport=ip; trx=mmse.transaction_id; msg_type=mmse.message_type; notify_status=mmse.status; send_status=mmse.response_status; - -Action=Transform; Name=mms_start; Match=Loose; .mms_start; - -Action=PduTransform; Name=mms_start; For=mmse_over_wsp_pdu; - -Action=GopDef; Name=mmse_over_wsp; On=mmse_over_wsp_pdu; trx; -Action=GopStart; For=mmse_over_wsp; mms_start; -Action=GopStop; For=mmse_over_wsp; never; - -Action=GopExtra; For=mmse_over_wsp; ue; notify_status; send_status; - -# the MMS GoG -Action=GogDef; Name=mms; GogExpiration=60.0; -Action=GogKey; For=mms; On=mmse_over_http; trx; -Action=GogKey; For=mms; On=mmse_over_wsp; trx; -Action=GogExtra; For=mms; ue; notify_status; send_status; resp; host; trx; +Transform rm_client_from_http_resp1 { + Match (http_rq); + Match Every (addr) Insert (not_rq); +}; + +Transform rm_client_from_http_resp2 { + Match (not_rq,ue) Replace (); +}; + +Pdu mmse_over_http_pdu Proto http Transport tcp/ip { + Payload mmse; + Extract addr From ip.addr; + Extract port From tcp.port; + Extract http_rq From http.request; + Extract content From http.content_type; + Extract resp From http.response.code; + Extract method From http.request.method; + Extract host From http.host; + Extract content From http.content_type; + Extract trx From mmse.transaction_id; + Extract msg_type From mmse.message_type; + Extract notify_status From mmse.status; + Extract send_status From mmse.response_status; + Transform rm_client_from_http_resp1, rm_client_from_http_resp2; +}; + +Gop mmse_over_http On mmse_over_http_pdu Match (addr, addr, port, port) { + Start (http_rq); + Stop (http_rs); + Extra (host, ue, resp, notify_status, send_status, trx); +}; + +Transform mms_start { + Match Loose() Insert (mms_start); +}; + +Pdu mmse_over_wsp_pdu Proto wsp Transport ip { + Payload mmse; + Extract trx From mmse.transaction_id; + Extract msg_type From mmse.message_type; + Extract notify_status From mmse.status; + Extract send_status From mmse.response_status; + Transform mms_start; +}; + +Gop mmse_over_wsp On mmse_over_wsp_pdu Match (trx) { + Start (mms_start); + Stop (never); + Extra (ue, notify_status, send_status); +}; + +Gog mms { + Member mmse_over_http (trx); + Member mmse_over_wsp (trx); + Extra (ue, notify_status, send_status, resp, host, trx); + Expiration 60.0; +}; diff --git a/plugins/epan/mate/examples/pasv_ftp.mate b/plugins/epan/mate/examples/pasv_ftp.mate index 24ef7ab470..9a8852803b 100644 --- a/plugins/epan/mate/examples/pasv_ftp.mate +++ b/plugins/epan/mate/examples/pasv_ftp.mate @@ -1,18 +1,33 @@ -# pasv_ftp.mate +Pdu ftp_pdu Proto ftp Transport tcp/ip { + Extract ftp_addr From ip.addr; + Extract ftp_port From tcp.port; + Extract ftp_resp From ftp.response.code; + Extract ftp_req From ftp.request.command; + Extract server_addr From ftp.passive.ip; + Extract server_port From ftp.passive.port; -Action=PduDef; Name=ftp_pdu; Proto=ftp; Transport=tcp/ip; Stop=TRUE; ftp_addr=ip.addr; ftp_port=tcp.port; ftp_resp=ftp.response.code; ftp_req=ftp.request.command; server_addr=ftp.passive.ip; server_port=ftp.passive.port; + LastPdu true; +}; -Action=PduDef; Name=ftp_data_pdu; Proto=ftp-data; Transport=tcp/ip; server_addr=ip.src; server_port=tcp.srcport; +Pdu ftp_data_pdu Proto ftp-data Transport tcp/ip{ + Extract server_addr From ip.src; + Extract server_port From tcp.srcport; -Action=GopDef; Name=ftp_data; On=ftp_data_pdu; server_addr; server_port; -Action=GopStart; For=ftp_data; server_addr; +}; -Action=GopDef; Name=ftp_ctl; On=ftp_pdu; ftp_addr; ftp_addr; ftp_port; ftp_port; -Action=GopStart; For=ftp_ctl; ftp_resp=220; -Action=GopStop; For=ftp_ctl; ftp_resp=221; -Action=GopExtra; For=ftp_ctl; server_addr; server_port; +Gop ftp_data On ftp_data_pdu Match (server_addr, server_port) { + Start (server_addr); +}; -Action=GogDef; Name=ftp_ses; -Action=GogKey; For=ftp_ses; On=ftp_ctl; ftp_addr; ftp_addr; ftp_port; ftp_port; -Action=GogKey; For=ftp_ses; On=ftp_data; server_addr; server_port; +Gop ftp_ctl On ftp_pdu Match (ftp_addr, ftp_addr, ftp_port, ftp_port) { + Start (ftp_resp=220); + Stop (ftp_resp=221); + Extra (server_addr, server_port); +}; +Gog ftp_ses { + Member ftp_ctl (ftp_addr, ftp_addr, ftp_port, ftp_port); + Member ftp_data (server_addr, server_port); +}; + +Done; diff --git a/plugins/epan/mate/examples/tcp.mate b/plugins/epan/mate/examples/tcp.mate index 2abe3e8882..773ad85f37 100644 --- a/plugins/epan/mate/examples/tcp.mate +++ b/plugins/epan/mate/examples/tcp.mate @@ -1,7 +1,14 @@ -# tcp.mate +Pdu tcp_pdu Proto tcp Transport ip { + Extract addr From ip.addr; + Extract port From tcp.port; + Extract tcp_start From tcp.flags.syn; + Extract tcp_stop From tcp.flags.reset; + Extract tcp_stop From tcp.flags.fin; +}; - Action=PduDef; Name=tcp_pdu; Proto=tcp; Transport=ip; addr=ip.addr; port=tcp.port; tcp_start=tcp.flags.syn; tcp_stop=tcp.flags.fin; tcp_stop=tcp.flags.reset; - Action=GopDef; Name=tcp_session; On=tcp_pdu; addr; addr; port; port; - Action=GopStart; For=tcp_session; tcp_start=1; - Action=GopStop; For=tcp_session; tcp_stop=1; +Gop tcp_ses On tcp_pdu Match (addr, addr, port, port) { + Start (tcp_start=1); + Stop (tcp_stop=1); +}; +Done; diff --git a/plugins/epan/mate/examples/web.mate b/plugins/epan/mate/examples/web.mate index fd00c651de..7b3d2246b5 100644 --- a/plugins/epan/mate/examples/web.mate +++ b/plugins/epan/mate/examples/web.mate @@ -1,27 +1,52 @@ -# web.mate - -Action=PduDef; Name=dns_pdu; Proto=dns; Transport=ip; addr=ip.addr; dns_resp=dns.flags.response; host=dns.qry.name; client_addr=ip.src; dns_id=dns.id; -Action=PduDef; Name=http_pdu; Proto=http; Transport=tcp/ip; addr=ip.addr; port=tcp.port; http_rq=http.request.method; http_rs=http.response; host=http.host; client_addr=ip.src; - -Action=GopDef; Name=dns_req; On=dns_pdu; addr; addr; dns_id; -Action=GopStart; For=dns_req; dns_resp=0; -Action=GopStop; For=dns_req; dns_resp=1; - -Action=GopDef; Name=http_req; On=http_pdu; addr; addr; port; port; -Action=GopStart; For=http_req; http_rq; -Action=GopStop; For=http_req; http_rs; - -Action=Transform; Name=rm_client_from_dns_resp; Mode=Replace; Match=Every; dns_resp=1; client_addr; .dns_resp=1; -Action=PduTransform; For=dns_pdu; Name=rm_client_from_dns_resp; - -Action=Transform; Name=rm_client_from_http_resp; Mode=Replace; Match=Every; http_rs; client_addr; .http_rs=; -Action=PduTransform; For=http_pdu; Name=rm_client_from_http_resp; - -Action=GopExtra; For=http_req; host; client_addr; -Action=GopExtra; For=dns_req; host; client_addr; - -Action=GogDef; Name=http_use; GogExpiration=0.75; -Action=GogKey; For=http_use; On=http_req; host; client_addr; -Action=GogKey; For=http_use; On=dns_req; host;client_addr; - -Action=GogExtra; For=http_use; host; client_addr; +Transform rm_client_from_dns_resp { + Match (dns_resp=1, client) Replace (dns_resp=1); +}; + +Pdu dns_pdu Proto dns Transport ip { + Extract addr From ip.addr; + Extract dns_id From dns.id; + Extract dns_resp From dns.flags.response; + Extract host From dns.qry.name; + Extract client From ip.src; + Transform rm_client_from_dns_resp; +}; + +Gop dns_req On dns_pdu Match (addr,addr,dns_id) { + Start (dns_resp=0); + Stop (dns_resp=1); + Extra (host, client); +}; + +Transform rm_client_from_http_resp1 { + Match (http_rq); + Match Every (addr) Insert (not_rq); +}; + +Transform rm_client_from_http_resp2 { + Match (not_rq, client) Replace (); +}; + +Pdu http_pdu Proto http Transport tcp/ip { + Extract addr From ip.addr; + Extract port From tcp.port; + Extract http_rq From http.request.method; + Extract http_rs From http.response; + Extract host From http.host; + Extract client From ip.src; + Transform rm_client_from_http_resp1, rm_client_from_http_resp2; + DiscardPduData true; +}; + +Gop http_req On http_pdu Match (addr, addr, port, port) { + Start (http_rq); + Stop (http_rs); + Extra (host, client); +}; + +Gog http_use { + Member http_req (host, client); + Member dns_req (host, client); + Expiration 0.75; +}; + +Done; |