Ethereal-users: Re: [Ethereal-users] Calculate Time Difference for each SYN-SYN/ACK pairs

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Lim Boon Ping <syseeker@xxxxxxxxx>
Date: Sun, 1 May 2005 09:52:50 -0700 (PDT)
Hi Luis,
 
Thanks for you reply. :).
 
 
Due to the above obstacle, I downloaded Windows version of ethereal-setup-0.10.10.exe.  Unfortunately, ethereal quit immediately i hit 'Apply' after setting configuration filename at Preferences->mate. And subsequently I am never able to open ethereal. I tried to reinstall ethereal,  and the same error occurs.
 
Next, I tried to run from command prompt by entering
 
tethereal -o 'mate.config_filename:tcp.mate' -r mylogfile.pcap -z proto,colinfo,'mate.tcp_ses.Duration',mate.tcp.synack
 
However, it returns ---> tethereal: -o flag "'mate.config_filename:e:\tcp.mate'" specifies unknown preferences.
 
Refer to the ethereal's preferences log file, i found the below:
 
# The name of the file containing the mate module's configuration
# A string.
mate.config: e:\tcp.mate
 
Well, changing from  mate.config_filename to mate.config still yield the same error. And ethereal works properly after commenting this line. :|
 
I am rather interested to try out this experimental version, looking forward your reply. :)
 
Regards,
Jocelyn
 
 
 
 
 
LEGO <luis.ontanon@xxxxxxxxx> wrote:
MATE (http://wiki.ethereal.com/Mate) can help for this.

bellow you'll find a mate config to measure syn-syn/ack.

with:
tethereal -o 'mate.config_filename: tcp_setup.mate' -r your_file.pcap
-zproto,colinfo,'mate.tcp_ses.Duration' mate.tcp.synack

you'll get an extra column containing the elapsed time between syn and syn/acks.

Excell (or something similar) can do the rest.

Luis.

# tcp_setup.mate
# First you need to create a tcp pdu extracting the data you need
Action="" Name=tcp; Proto=tcp; Transport=ip; addr=ip.addr;
port=tcp.port; tcp_syn=tcp.flags.syn; tcp_ack=tcp.flags.ack;

# we won't deal with tcp pdus that have no syn
Action="" For="" tcp_syn=1;

# then we'll "mark" the pdus
Action="" Name=syn_synack; tcp_syn=1; tcp_ack=1; .synack;
# if syn/ack matches MATE will stop so the syn/ack won't be marked as syn
Action="" Name=syn_synack; tcp_syn=1; .syn;

# we apply the transform
Action="" For="" Name=syn_synack;

# then we need to group syn and syn/acks
Action="" Name=tcp_ses; On=tcp_pdu; addr; addr; port; port;

# then we'll start a group at syn and stop at syn/ack
Action="" For="" syn;
Action="" For="" synack;

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com