Ethereal-users: [Ethereal-users] Two packet intercept question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Hardware Stuff <mrfixit@xxxxxxxxxxxxxxx>
Date: Wed, 10 Jan 2001 13:40:06 -0800 (PST)
I've been sucessfully using a combination of perl and tethereal to
decode a data packet.  I recently discovered that 1/12 of the data is
missing and appears in a subsequent packet.  I'd post the packets from a
generic ethereal monitor via an X copy-paste into emacs, but some
bright spark coded ethereal such that X copy doesn't work (grumble;
perhaps if the shift or control key is depressed, it could indicate
that X-copy is desired, not packet selection).

The first packet is easy to find, it's an unusual size, the source IP
is known and the dest port is known.  A simple filter :

tethereal -n -i eth1 -x -c 1 -f "ip src $server and greater 490"

reliably picks it out of a noisy LAN to pipe into the perl decoder.
The remaining data appears in a smaller 45 byte packet that has the
same Ack code, but the arrival timing appears to be far faster than a
second invocation of tethereal with appropriate parameters could
capture.

So I need a different answer.  The nature of this problem (picking
data out of multiple packets) has surely been seen before and solved
within ethereal.  How do I do that?  Can I reuse the perl decoder (or
is it just a roadmap) ?  Do I need to learn dissectors (and is there a
newbie guide) ?

TIA

ron