Just another mail to share the knowledge a little bit more about the architecture of PM.
On Tue, Jun 14, 2011 at 5:01 AM, Guilherme Rezende <[email protected]> wrote: > In sip_register2.pcap i have 2 registers, one with correct password and other > wrong. > when i run the run-tester, all packets are duplicated. I got the point. That's because of the way PacketManipulator invokes the dissectors. Your code gets called by the following lines in the function __run_dissectors(self, mpkt) of umit/pm/manager/auditmanager.py. If you look in detail lines 308-311 are responsible for this duplication. 308 if ret is not None: 309 self.run_decoder(ret, mpkt.l4_src, mpkt) 310 self.run_decoder(ret, mpkt.l4_dst, mpkt) This is because in your code you specified SIP_PORTS = (5060, 5061) and your pcap file is a conversation between two endpoints with ip1:5060 <-> ip2:5060. With this assumption PacketManipulator will execute your function sip() for line 309 and then for line 310. There are several ways to solve this issue. One is through the use of sessions and check whether the packet is coming from a server or a client. In UDP actually are both peers btw you have to distinct server and client from the information they provide. The other one is to set up a local-cfield in the packet and checks if the packet is already been parsed. The last and probably the preferable is a mix between SessionManager usage and information extraction. Just identify whether the packet is a response or a request according to the standard and do proper handling of request/response accordingly. So at the end you should have something: sess = lookup session but do not create if is_response: parse_response else: parse_request def parse_response(mpkt, sess): if sess is None: register it sess.data = (mpkt.l3_src, mpkt.l3_dst) ... def parse_request(mpkt, sess): if sess is None; register it sess.data = (mpkt.l3_dst, mpkt.l3_src) In this way you should have a tuple of two elements in the session data attribute. The first corresponding to the server and the second to the client. Than it should be easy :) -- Best regards, Francesco Piccinno ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Umit-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/umit-devel
