Andreas Sikkema wrote:
>> But if there is tcp segmentation, you may not get all messages with
>> that message type.
>
>The messages are not sent very fast. But they are quite small, I
>have, however, not seen that much evidence of the Nagle
>algorithm, so....
>
>This has to run, if necessary, for weeks to see if a strange situation
>occurs.
>
>If you have a better idea for a capture filter....
>
>-
No, not a capture filter, but...
You could maybe use a combination of a capture filter and a read filter (display filter) if you have a dissector (maybe a plugin) for your proprietary protocol and the dissector handles TCP desegmentation.
You could maybe try something like the following:
tethereal -f "host 10.0.0.13 and tcp port 7777" -R "myownproto.msgtype == 0x70" -w outfile.pcap
e.g. a capture filter that captures only the TCP packets that are sent to or from the server combined with a read filter that filters the captured packets and only writes those packets that are matching the filter into outfile.pcap.
However I haven't tried this myself for a similar scenario (running very long).
Maybe tethereal will use more and more memory, so that you have to restart the capture sometimes.
