06-20, 11:45–12:45 (America/New_York), Great Falls
"MATE’s goal is to enable users to filter frames based on information extracted from related frames or information on how frames relate to each other."
Wireshark display filters are great when looking at individual packets.
MATE allows filtering using fields from more than one packet to create a filtered list of packets.
This will be a workshop format, solving a problem in steps using MATE.
In the cases where MATE needs just a little extra we will look at adding a Lua script to the solution.
A recent Discord question: "where the Time column's exact same value repeats at least 10 times"
Could be done with TShark fields piped to sort and uniq -c then check for values >= 10.
Or a half-dozen lines of MATE config and a display filter of mate.frame_ses.NumOfPdus >= 10.
The future may be LUA, but MATE still exists. MATE config files are often a single screen of code.
Knowing when to walk away and write a Lua script is the tough part. Hopefully you will see just enough useful examples in this session so that in the future you might attempt filtering with MATE.
“Those who can, do; those who can’t, support the doers.”
After a (successful?, satisfying?) career in IT, Chuck spends his free time answering questions on ask.wireshark.org with occasional Commits to the Wireshark code.