Ethereal-users: Re: [Ethereal-users] Re: Re: Re: again: Follow TCP Stream decoder plugins
Fulcrum wrote:
hi, what do you mean "by saving the Ethereal preference settings"? of
course I save the re-assemble protocol preference, it can only help
me to view target packets, but in this way, every time I need to open
a large packets file which cost so long time ...
I have a large .cap file, and I use filter "mmse" to select all my
needed packets which are all re-assembled. I want to I can save this
re-assembled packets into a new file, then I can open that new file
quickly every time. but when I use "save as", I can't get a desired file.
What you want is to have the packets that were reassembled saved into a
file. There's no mechanism to save the data as reassembled packets, and
there probably won't be any such mechanism any time soon (the file
formats are oriented towards saving link-layer packets, as I mentioned).
What might be possible would be a way to have the system keep track of
all the packets that went into a file, so that if you were to save a
packet that was the last packet in some reassembled higher-level packet,
all the other packets that were part of that higher-level packet would
be included.
Unfortunately, this might not be enough for TCP, as TCP segment
boundaries don't necessarily correspond to higher-level packet boundaries.
Would doing "Follow TCP Stream" to display only the packets in that
connection, and then saving only those packets, reduce the number of
packets in the file a sufficient amount to make a difference?
