["Ronnie Sahlberg" <ronnie_sahlberg@xxxxxxxxxxxxxx>]

Fair enough.


What ethereal would need are two new features:
1, Clicking on the packet list should bring up a popup menu where one can
select :
      Filter/Match This Conversation
    This should at least support TCP and UDP to start with.
    For TCP packets it shoudl create a filter like "ip.addr==x.x.x.x and
tcp.port==x and ip.addr==y.y.y.y and tcp.port==y"
    and then apply the filter.

2, Ethereal should also have a new feature for ALL filter popup menus :
    Filter trace in new window
    which would create the filter, save all packets matching the filter to a
temporary file named something like
       /tmp/<original_name>-<filter_string>.cap
    and then launch a new instance of ethereal loading the filtered capture
file.

any takers?

----- Original Message ----- 
From: "Kevin"
Sent: Sunday, October 12, 2003 11:26 AM
Subject: Re: [Ethereal-dev] Feature request - Follow UDP Stream


> I have to agree with Ian, when working on a trace, I can really focus
> my concentration on what I am doing, not what I need to do.
>
> When asked by analyzer vendors why I use Ethereal instead of their
> products, my 1st answer is always that I can just USE the tool without
> having to think about HOW to use the tool.
>
> While other tools have nifty and pretty bells and whistles, you have to
> click and poke to find what you need.  Ethereal lets me work without
> really thinking about what button to click or popping up a new menu to
> do a simple filter.  This lets me concentrate on what I need to do,
> figure out the trace.
>
> When a trace has a large number of conversations, I would not want to
> reprocess to get the conversation list and then build the filter, and
> reprocess a 2nd time.   This would really break my concentration.  It
> is far easier to make up a filter (ala Follow TCP stream) than to build
> the conversation list and process the trace 2x;
>
> That said, the ability to pull a conversation from the conversation
> list is fantastic.  One thing that would be a great addition here (yes
> another request) is the ability to open the conversation in a new
> ethereal window or process.
>
> Thanks for a great tool
>
> Kevin
>
> On Saturday, October 11, 2003, at 10:40 AM, Ian Schorr wrote:
>
> > Yes, but it would be very nice if this could be done from the packet
> > view, as well.
> >
> > I love the conversation list feature.  However, when I'm analyzing a
> > trace and deciding that I want to concentrate on a particular
> > "conversation" based on something I'm seeing while examining the
> > packet view, I shouldn't have to bring up the conversation list (and
> > reprocess the entire trace), find the conversation that I want a
> > second time, and THEN filter down.  Conversation list is for a
> > different mental "mode" of analysis.
> >
> > I often find it useful to select "Follow TCP stream" from the packet
> > list, it's a great shortcut when I'm trying to isolate a conversation.
> >  Sometimes I need the text reassembly, usually with the protocols I
> > examine, I don't.  Usually I just want the "conversation" isolation.
> >
> > I've also been thinking that it would be extremely nice if we added a
> > right-click option when an IP address field (or another L2 or L3
> > address) is selected that allows us to quickly build an address filter
> > (i.e. with IP address, it will automatically build an ip.addr==A.B.C.D
> > display filter).
> >
> > Ian
> >
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev