> >What I'd like to do in regards to this is to have an "unfragment" mode
> >in ethereal. When used, multiple packets that are known to be part of a
> >single TCP transmision (write()) will be coalesced together. The packet
> >summary line will be two lines high. The first line will be the decoding
> >of the packet (once you put all the packets together for a single TCP
> >write(), you can send that entire buffer to the next higher layer,
> >dissect_http() or whatever). The second line will contain a drop-down
> >list of the individiual frames that make up this TCP write(). If you
> >select one of these frames, a window pops up showing you the protocol
> >tree and hex dump of that single frame.
>
> Hmmm, that sounds interesting, but you lose the time relationships between
> events. It will also require more GUI support/complexity.
Another possibility might be to have the summary list still have one
line for each frame, but have it show the summary information for the
first "packet" the beginning of which is in that frame - or, if the
frame only continues a previous packet, the summary information for the
frame it continues, perhaps with a "(continuation)" tag.
One might still want to have multiple lines per frame if you have more
than one "packet" (e.g., more than one SMB request) per frame; if you do
that, and you have, say, the last part of an SMB write followed by some
or all of another SMB request, the first line for that frame would be a
"continuation" line for the write, and the next line would be the
summary for the next SMB request.
One would probably have only the first line for the frame contain stuff
such as the frame number and time stamp, and possibly also limit the
source and destination address display to the first line as well; this
might make it a little clearer what stuff is in the frame.
