Skip to content

MATE gop matching fails with multiple occurrences of the same AVP are present

Summary

MATE gop matching fails with multiple occurrences of the same AVP are present

Steps to reproduce

Take a simple MATE configuration for matching HTTP2 request/responses:

Pdu http2_pdu Proto http2 Transport tcp/ip {
    Extract addr From ip.addr;
    Extract port From tcp.port;
    Extract streamid From http2.streamid;
    Extract path From http2.headers.path;
    Extract type From http2.type;

    Criteria Accept Strict (type{0|1});    
};

Gop http2_req On http2_pdu Match (addr, addr, port, port, streamid) {
    Start (path);
};

If a packet contains 2 different streams the matching criteria fails (probably depending on the order of the streams in the packet). Take for instance the following packets all with the same ip/ports:

  • packet 1 -> HEADERS[1]
  • packet 2 -> DATA[1] SETTINGS[0]
  • packet 3 -> HEADERS[1] DATA[1]

In this case packets 1 and 3 are correctly grouped together but packet 2 is left alone.

What is the expected correct behavior?

I would expect also packet 2 to be grouped together or at least a way to configure MATE to include or exclude that packet.

Build information

Version 4.2.4 (v4.2.4-0-g1fe5bce8d665).

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.37, build 32822),
with GLib 2.78.0, with Qt 6.5.3, with libpcap, with zlib 1.3.0, with PCRE2, with
Lua 5.2.4 (with UfW patches), with GnuTLS 3.8.3 and PKCS #11 support, with
Gcrypt 1.10.2-unknown, with Kerberos (MIT), with MaxMind, with nghttp2 1.57.0,
with nghttp3 1.0.0, with brotli, with LZ4, with Zstandard, with Snappy, with
libxml2 2.11.5, with libsmi 0.5.0, with QtMultimedia, with automatic updates
using WinSparkle 0.8.0, with AirPcap, with Minizip, with binary plugins.

Running on 64-bit Windows 10 (22H2), build 19045, with 11th Gen Intel(R)
Core(TM) i7-11850H @ 2.50GHz (with SSE4.2), with 48815 MB of physical memory,
with GLib 2.78.0, with Qt 6.5.3, with Npcap version 1.78, based on libpcap
version 1.10.4, with PCRE2 10.42 2022-12-11, with c-ares 1.27.0, with GnuTLS
3.8.3, with Gcrypt 1.10.2-unknown, with nghttp2 1.57.0, with nghttp3 1.0.0, with
brotli 1.0.9, with LZ4 1.9.3, with Zstandard 1.5.2, without AirPcap, with light
display mode, without HiDPI, with QPA plugin "windows", with
LC_TYPE=Italian_Italy.utf8, binary plugins supported.
Edited by Alberto Sartori
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information