MATE’s Configuration Library in Wireshark

MATE stands for Meta Analysis and Tracing Engine. Using this plugin, the user is allowed to define the relationships between various frames. To accomplish this, the Frames tree is quite helpful as MATE collects data from here and then attempts to organize the frames by how MATE is set up.  Whenever the PDUs get connected, MATE will build a “protocol” tree with filterable fields. Since the fields are nearly identical for all connected frames, it is possible to filter a session that spans several frames and many protocols based on a property that appears in a related frame. Moreover, MATE permits frame filtering that relies on reaction timings, the amount of pdus in a group, and many other factors. 

MATE’s main purpose is to employ various protocols and filter every packet of a call while simply knowing the calling number. The other problem is that they use many protocols, filtering all packets from all calls based on why one of their “segments” was released. It also applies especially “dense” captures to slow transactions (Finding asks for a timeout). It makes it possible to locate pending transactions (no responses). If rerouting of requests is required, it is accomplished through the use of additional gateways and proxies.

MATE’s Configuration Library:

The MATE library (will) provide GoP definitions for a number of protocols. By adding the notation _Action=Include; Lib=proto name;_ to your MATE setup, you can add library protocols. What information from the PDU is required to generate a GoP for each protocol that has a library entry, as well as any other requirements and the crucial GoP definition (i.e., GopDef, GopStart, and GopStop)?

General Use Protocols:

TCP: If used, it should be at the bottom of the list because it will create a GoP for each TCP session. Furthermore, every additional proto on top of TCP should have Stop=TRUE defined; this will prohibit the production of a TCP PDU where one is already in use.

Action=PduDef; Name=tcp_pdu; Proto=tcp; Transport=ip; 
addr=ip.addr; port=tcp.port; tcp_start=tcp.flags.syn; 
tcp_stop=tcp.flags.fin; tcp_stop=tcp.flags.reset;
Action=GopDef; Name=tcp_session; On=tcp_pdu; 
addr; addr; port; port;
Action=GopStart; For=tcp_session; tcp_start=1;
Action=GopStop; For=tcp_session; tcp_stop=1;

DNS: It will produce a GoP that includes each request and its response (eventually retransmissions too).

RADIUS: A Gop for every transaction.

VoIP/Telephony:

The majority of these protocol definitions, unless otherwise specified, will generate one Gop for each Call Log.

• ISUP

Action=PduDef; Name=isup_pdu; Proto=isup; 
Transport=mtp3; mtp3pc=mtp3.dpc; 
mtp3pc=mtp3.opc; cic=isup.cic; 
isup_msg=isup.message_type;

Action=GopDef; Name=isup_leg; On=isup_pdu; 
ShowPduTree=TRUE; mtp3pc; mtp3pc; cic;
Action=GopStart; For=isup_leg; isup_msg=1;
Action=GopStop; For=isup_leg; isup_msg=16;

• Q931
• H225 RAS
• SIP
• MEGACO

Every transaction will generate a Gop. Use Action=GogKey; Name=your call; On=mgc tr; addr!mgc addr; Megaco ctx to “bind” them to your call’s GoG.

Conclusion:

The configuration file informs MATE what to look for in frames, how to create PDUs from them, and how PDUs will be associated to other similar PDUs in Gops. And how Gops are related to Gogs. The MATE configuration file consists of a series of declarations. Transform, Pdu, Gop (Group of PDUs), and Gog are the four sorts of declarations.