Ethereal-dev: [ethereal-dev] Ability to save only packets selected by display filter?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Fri, 19 Nov 1999 15:53:53 -0800 (PST)
I've occasionally wanted to do that, I've seen others mention that on
one or both of these lists, and somebody here asked for it:

	I have a huge dmp file which has lots of network traffic in it.
	I open the file using ethereal to analyse it. I am interested in a
	particular stream from a particular port. So I put a filter in or
	do "follow TCP stream". Now I wanted to save this particular
	stream to a file. How do I do it? I tried save as. Did not work.
	it duplicated the whole dump.

	Is it something that is worthwhile which can be done?

My response was:

	> I have a huge dmp file which has lots of network traffic in it.
	> I open the file using ethereal to analyse it. I am interested in a
	> particular stream from a particular port. So I put a filter in or
	> do "follow TCP stream". Now I wanted to save this particular
	> stream to a file. How do I do it? I tried save as. Did not work.
	> it duplicated the whole dump.

	Correct.  The current "Save"/"Save As" code just moves or copies the
	file (literally - if you're saving a temporary file from a capture, it
	tries a "rename()" call and, if that fails, it tries to open the new
	file and just copies the raw bytes, and if you're saving a permanent
	file, it just does the copy).

	> Is it something that is worthwhile which can be done?

	It's something that could be done, although the latest version of the
	code that could be made to do that is at home, not at work - and it
	doesn't yet have an option to save only the packets that passed the
	filter.

	I forget whether there was any problem with doing it other than the fact
	that:

		1) it wouldn't necessarily work if you have a capture in a
		   "foreign" file format, given that there's not yet any code
		   to write out files in a format other than the "libpcap"
		   format used by "tcpdump" and Ethereal;

		2) saving an entire temporary capture to a directory on the same
		   file system as the one on which the temporary capture resides
		   would be slightly more expensive (and would temporarily
		   require slightly more disk space), and saving it to a
		   directory on the same file system would also be more
		   expensive but not by as much.

	Then again:

		1) you can't *currently* save a subset of the packets from, say,
		   a Sniffer capture file, so it's not as if you'd *lose* any
		   capability, and you can save the entire contents of a Sniffer
		   file with the handy UNIX command "cp", so it's not as if
		   you'd lose much there;

		2) unless Ethereal's captured a *lot* of traffic (in which case
		   perhaps the right answer was to capture it with a
		   command-line utility, in the background, and look at it
		   later), the difference might not be noticeable.

People have also asked for the ability to save Ethereal captures out as,
say, Sniffer captures, and this would also allow us, if that capability
were added to Wiretap, to have a combo box for the output file format in
the "Save" dialog box, to let you do that for the formats supported for
output.

Would changing the "Save" and "Save As" to write out the capture by
reading through the capture file and writing out all or filtered
packets, rather than to just move or copy the entire capture file, be a
problem for anybody?

Note that we might then want to make "Save As" not function the way it
does in most other applications, and the way (as I remember from the
last time this was discussed) the Mac and Windows UI guidelines suggest.
Those guidelines suggest that if you do a "Save As", the current file
name change to the name of the file to which you saved.

Microsoft's Network Monitor doesn't do that - it leaves the file name
the same.  This is probably because it also lets you save only selected
packets - but doing so doesn't mean that only the packets you saved are
available; turn the display filter off, and all the packets from the
original capture are available again.

If we do the same, I think Network Monitor's model makes sense - saving
filtered packets is, for those used to "ed"-flavored editors (including
"ex" and "vi"), more like doing

	17,47w /tmp/partial

than like doing

	w /tmp/full

in that you're not saving the entire file, you're writing out to a new
file a part of the file.

Perhaps an *unfiltered* save should still change the name it has for the
current file.  (For that matter, perhaps an unfiltered save, in the same
file format as the input file, should continue to use the move/copy code
path we use now, in which case disadvantage 2) goes away, and, if you
forbid writing a filtered capture in a format other than the format it
was read in as, we could at least let you save an entire capture in its
native format, although, as noted, "cp" will do that just as well as
Ethereal will....)