Wireshark · Ethereal-dev: [Ethereal-dev] Question about filtering TCP streams

Ethereal-dev: [Ethereal-dev] Question about filtering TCP streams

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Stuart MacDonald" <stuartm@xxxxxxxxxxxxxxx>

Date: Tue, 25 Jan 2005 18:54:41 -0500

I notice that the filtering happens with a pattern like so:

(ip.addr eq A.B.C.D and ip.addr eq E.F.G.H) and (tcp.port eq X and tcp.port eq
Y)

Picture one very long (size- and time-wise) capture file. It's
possible that the above pattern could occur multiple times, especially
for a situation like a web server where one particular host is doing a
lot of requests.

1: It seems that the "follow" functionality is implemented somewhere
above the TCP dissector. Wouldn't it be better to have TCP do this?
This way sequence numbers could be double checked, and any additional
duplicate streams would be properly ignored.

2: Feature suggestion: have the "frame" protocol have room along with
the frame numbers to store tags. Once a stream has been identified the
frames that make it up could be tagged with a unique id, and then
filtering would be much simpler.

..Stu

Prev by Date: [Ethereal-dev] RTCP conversations not set up in recent SVN version
Next by Date: [Ethereal-dev] [PATCH] IAX2 dissector crash
Previous by thread: RE: [Ethereal-dev] RTCP conversations not set up in recent SVN version
Next by thread: [Ethereal-dev] [PATCH] IAX2 dissector crash
Index(es):
- Date
- Thread