VERY COOL.
This is something Tethereal really really would need.
However, I have some comments:
While display filters are very powerful, they also require allk the packets
to be fully disected.
This si slow and it also starts consuming more and more memory while
tethereal runs.
On the other hand, capture filters does not require the packets to be
dissected, neither do they cause
the internal state in tethereal to start building up.
Therefore, so that it will be possible to capture at much higher speeds and
for much longer intervals,
could you consider changing it to use capture filters instead of display
filters?
From: <sford
Sent: Saturday, October 25, 2003 5:23 AM
Subject: [Ethereal-dev] Display filter as stop condition
> I've added a "Halt" feature to tethereal that uses a display filter as
> a stop condition. It is supplied as a string argument to "-H". It
> can be very useful for troubleshooting to see what led up to a
> particular condition (kindof like setting a breakpoint with an
> emulator). Combined with ring buffer, you can just start it, come
> back the next morning and have a good snapshot.
>
> I appologize for not adding the same feature to GUI ethereal (I
> wouldn't even know how to start), but for my purposes, this is
> exactly what the doctor ordered (capturing on a text-only box,
> analyzing with a GUI). I've tested it on Linux (RedHat 8.0) and
> Windows (2K).
>
> I'm not familliar with the code (I downloaded and saw it for the first
> time this morning), but a few hour's examination led to the following
> patch. Hopefully it is not too much of an abomination.
>
> Steve