Bernhard Bock

Home

Correlation of RADIUS traffic in Wireshark with MATE

When you analyzing problems in a carrier access network, chances are you need to deal with a great number of RADIUS packets. At some point, it becomes just a nightmare to find correlating packets in a network trace.

Wireshark can not correlate request and response, or authentication and accounting request automatically. Fortunately, it includes a very powerful, scripting-like environment called Meta Analysis and Tracing Engine (MATE), which can help with this task.

Here are two MATE-scripts which help me a lot with analyzing RADIUS traffic. Feel free to use them and redistribute/enhance them (GPL license applies):

// Mate correlation of RADIUS accounting packets

// written by Bernhard Bock 
// version 1.0, 2009-05-06

Transform rej {
        Match (rad_op=3) Insert (rejected);
};

Pdu radius_pdu Proto radius Transport udp/ip {
   Extract addr From ip.addr;
   Extract port From udp.port;
   Extract rad_op From radius.code;
   Extract rad_msgid From radius.id;
   Extract rad_clientip From radius.Framed-IP-Address;
   Extract line_id From radius.Calling_Station_Id;
   Extract timeout From radius.Session_Timeout;
   Extract type From radius.Acct_Status_Type;
   Transform rej;
};

Gop acct_req On radius_pdu Match (rad_msgid, addr, addr, port, port) {
   Start (rad_op=4);
   Extra (rad_clientip, line_id, rejected, timeout, type);
};

Done;

// Mate correlation of RADIUS authentication packets
// written by Bernhard Bock 
// version 1.0, 2009-05-06

Transform answers {
        Match (rad_op=3) Insert (rejected);
        Match (rad_op=2) Insert (accepted);
};

Pdu radius_pdu Proto radius Transport udp/ip {
   Extract addr From ip.addr;
   Extract port From udp.port;
   Extract rad_op From radius.code;
   Extract rad_msgid From radius.id;
   Extract rad_clientip From radius.Framed-IP-Address;
   Extract line_id From radius.Calling_Station_Id;
   Transform answers;
};

Gop auth_req On radius_pdu Match (rad_msgid, addr, addr, port, port) {
   Start (rad_op=1);
   Extra (rad_clientip, line_id, rejected, accepted);
};

Done;

Some documentation about MATE can be found at http://wiki.wireshark.org/Mate. However, the learning curve to MATE is pretty steep. If you’re stuck, I definitely recommend to join the Wireshark mailinglist. In short, MATE works like this:

  • If a packet matches a Pdu definition, extract the defined data from the packet and save it inside the MATE engine.
  • Apply any defined transformations to this data.
  • Correlate packets together in Gops (Group of packets), when they have the same data defined by ‘Match’

Then, you can filter for Groups of Packets. For example, if you find a retransmitted packet, select the Gop ID in the packet details, apply it as filter and you can see the whole communication without manual searching.

— Nov 29, 2009

GitHub LinkedIn Mastodon