Ethereal-users: Re: [Ethereal-users] filtering on two packets at the same time

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Thu, 22 Feb 2001 10:39:54 -0800 (PST)
> I'd like to look for sequential packets with duplicate UDP data. For
> example, I may get two TFTP packets in a row both of type ACK and with
> block number 1176. I'd like to just see those two packets.
> 
> Is this possible?

It would be possible for a C programmer to modify a dissector for a
protocol that runs atop UDP, if that protocol includes enough
information to detect duplicates, to keep state history so that it could
recognize duplicate packets, and tag them as such (e.g., with a hidden
Boolean field saying "this is a duplicate", or a hidden integer field
giving the frame number of the frame in which the packet of which this
is a duplicate begins).

The only dissector that does that currently is the ONC RPC dissector
(which does it regardless of whether the RPC packets are running atop
UDP or not).

> If not, how hard would it be to write a program to do this? Is there a
> library that I could use to parse a capture file?

The Wiretap library can be used to *read* a capture file, but there's no
library to *parse* the capture file - the code that parses a capture
file is called "Ethereal".