Wireshark · Ethereal-users: RE: [Ethereal-users] configure output of (t)ethereal

Ethereal-users: RE: [Ethereal-users] configure output of (t)ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Visser, Martin (SNO)" <Martin.Visser@xxxxxxxxxx>

Date: Wed, 22 Aug 2001 11:53:59 +0800

Roger,

A lot of what you want can be done by using the -V option of tethereal and
parsing the output with say a perl script. You can then look for the various
field headers and do the appropriate post processing. 

Using "tethereal -V -R http.request | httpreq.pl" works very nicely, giving
the following output :-

632,2.294652,MSMSGS\r\n
1150,5.153614,MSMSGS\r\n
1580,7.997510,MSMSGS\r\n
1984,10.751313,MSMSGS\r\n
2291,12.449642,Mozilla/4.01 [en] (Win95; I)\r\n
2489,13.705522,MSMSGS\r\n
2950,16.800464,MSMSGS\r\n
3383,19.362532,Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)\r\n
3472,19.814354,MSMSGS\r\n
3616,20.464338,Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)\r\n

A kludgy httpreq.pl I have written is below :-

#!/usr/bin/perl
while(<>) {
  chop;
  if (/^Frame\s*(\S+)\s*/ ) {
    $new_frame = TRUE;
    print "$fno,$timerel,$useragent\n";

    $fno = $1;
  }
  elsif (/^    Time relative to first packet: (\S+)\s*/ ) {
    $timerel = $1;
  }
  elsif (/^    User-Agent: (.*)$/ ) {
    $useragent = $1;
  }

}
    print "$fno,$timerel,$useragent\n";



That being said, I agree that it would be nice to be able to ask tethereal (
or ethereal for that matter) to output per frame  information on particular
fields and/or summarise per field information over a time interval. Ideally
data should be output in either Comma Separated Variable format, or XML.

I am working on, read thinking about, an add-in that will graph particular
fields over time. This would be a more generic approach than the tcp graph
patch that Pavel Mores has created. Ideally you should be able to click on a
field in ethereal and have data exported in various formats. It will also
use display filters (or something similar) to colorize and separate output
from various streams. I have been thinking at whether the graph function
should be compiled in, as has been done in the past by patches that Pavel
and myself have done separately, or whether it is better to pipe the data
out for an external graphing program. An external program would require the
type of output you are talking about. So when I spend a little more time
doing and less time thinking .....

Martin

Martin Visser
Network Consultant - Compaq Global Services

Compaq Computer Australia
410 Concord Road
Rhodes, Sydney NSW 2138
Australia

Phone: +61-2-9022-5630
Mobile: +61-411-254-513
Fax:+61-2-9022-7001
Email:martin.visser@xxxxxxxxxx



-----Original Message-----
From: Roger Kalden (EED) [mailto:roger.kalden@xxxxxxxxxxxxxxx]
Sent: Wednesday, 22 August 2001 12:26 AM
To: 'ethereal-users@xxxxxxxxxxxx'
Subject: [Ethereal-users] configure output of (t)ethereal


Hi,

I have been using ethereal a bit and think it is a great tool. However I
want to use it for a problem where I haven't found a solution yet. 

I would like to create time-series of certain protocol fields. Basically
this is already supported, but I would like to do this in a more generic
way. Idea is that this would provide the possibility to combine (in an easy
way) lots of powerful Unix tools together with the powerful ethereal
(dissection engine). 

In a very simple case, what I would like to do is to query tethereal to
output all TCP source and destination port numbers (together with time and
frame number). Or to query tethereal to output all HTTP (get) user-agent. Or
to query tethereal to output all IP total size. This should than be printed
in a way No; Timer; src port, dst port   - or - No; Timer; http user agent
- or - etc. I guess you got it.

I know that it is possible to define some columns and than to print a
summary. But this doesn't allow to select all fields from other protocols. 

Basically what tethereal needs (as option) is to tell it what fields it
should output per protocol (and in which way -i.e. as one line). 
e.g. tethereal -d "frame [no, time delta] http [ User-Agent ]" -R http
tethereal -d "frame [no, time delta] tcp [ src port, dst port ]" -R tcp
What is missing is the -d option :-) ( I think it is straight forward what
it means -- what protocol level and than what sub fields of the prot.)

Have I missed something in ethereal's functionality or is a plug in for this
available or is it planed to provide something like this?

If this is not available yet, maybe you can point me to a few places in the
source where I would have to fit in this function.

I think it would really be useful, as it opens up a lot of possibilities to
post-process the output of tethereal. 

Best Regards,
/Roger

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

Prev by Date: Re: [Ethereal-users] Newbie-Does ethereal support PPP ?
Next by Date: [Ethereal-users] Help reg PPP
Previous by thread: [Ethereal-users] configure output of (t)ethereal
Next by thread: [Ethereal-users] HTTP Content Extraction by sniffing?
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$