Ethereal-users: Re: [Ethereal-users] Re: Re: Re: again: Follow TCP Stream decoder plugins

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Sat, 6 Aug 2005 05:57:08 +1000
In theory, what we/someone could do is that when you save a capture
and you select Displayed+RELATED packets then

ethereal would first build a list of the displayed packets, then it
would go through the list and also insert all packets that are
referenced therein by a FT_FRAMENUM field and finally save the new
full list of packets.



On 8/5/05, Guy Harris <gharris@xxxxxxxxx> wrote:
> Fulcrum wrote:
> 
> > hi, what do you mean "by saving the Ethereal preference settings"? of
> > course I save the re-assemble protocol preference, it can only help
> > me to view target packets, but in this way, every time I need to open
> > a large packets file which cost so long time ...
> >
> > I have a large .cap file, and I use filter "mmse" to select all my
> > needed packets which are all re-assembled. I want to I can save this
> > re-assembled packets into a new file, then I can open that new file
> > quickly every time. but when I use "save as", I can't get a desired file.
> 
> What you want is to have the packets that were reassembled saved into a
> file.  There's no mechanism to save the data as reassembled packets, and
> there probably won't be any such mechanism any time soon (the file
> formats are oriented towards saving link-layer packets, as I mentioned).
> 
> What might be possible would be a way to have the system keep track of
> all the packets that went into a file, so that if you were to save a
> packet that was the last packet in some reassembled higher-level packet,
> all the other packets that were part of that higher-level packet would
> be included.
> 
> Unfortunately, this might not be enough for TCP, as TCP segment
> boundaries don't necessarily correspond to higher-level packet boundaries.
> 
> Would doing "Follow TCP Stream" to display only the packets in that
> connection, and then saving only those packets, reduce the number of
> packets in the file a sufficient amount to make a difference?
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>