hello.
while working with ethereal on heavily loaded networks, i often
remembered nice feature of (e.g.) Tektronix analyzer, it has two
filters, with one i can filter at the moment packet arrives and
to drop unwanted packets immediately, the other filters output (as in
Ethereal).
Well, you might say libpcap plays the role for the former in Ethereal,
but pcap does not know many protocols Ethereal does, so this is not as
effective i use it mostly for narrowing sniffing scope like 'udp and
port 3386'. well, i think 'gtpv0.tid == "1234567890abcdefg"' would be
better for the purpose...
however, on a loaded network, Ethereal quickly becomes so huge in memory
that makes it very ineffective for continuous network analysis, also it
makes it ineffective when working with huge dump files.
what if there would be an additional filter in capture start and open
windows, allowing to select Ethereal filter to pass only desired
traffic?
please include me in Cc: since i'm not on the list. thanks!
--
Denis A. Doroshenko, GPRS engineer
Omnitel Ltd., T. Sevcenkos st. 25, Vilnius, Lithuania
d.doroshenko@xxxxxxxxxxx, +370 2 262188