Hi Guy,
Yes, I know I can do a "Save As" after doing a "Follow TCP Stream".
... but I have about hundreds of TCP streams within a single packet dump
file. I was just wondering if there is an easier way to do this ( i.e.
command-line/tethereal ) so that if I fire the script to tethereal with
the specified filter expression, I can generate all hundreds of new
packet dump files, each one a separate TCP stream.
As for the statistics, maybe I can do this using tethereal and using a
combination of various text utilities, specific to what I have.
Thanks,
John Salvo
Guy Harris wrote:
>
> > 1) Is there anyway that, from a given packet dump file, I can create
> > several other packet dump files such that each dump file represents one
> > TCP stream? I am looking through the filter expressions but I cant see
> > anything that sort of relates to what I want to do.
>
> "Follow TCP Stream" constructs a filter expression that matches all
> packets in the stream, and then filters with that expression; if, after
> you've done a "Follow TCP Stream" (and haven't cleared the filter at the
> bottom of the window...), you do a "Save As" and select the "Save only
> packets currently being displayed" checkbox in the "Save Capture File
> As" dialog box, you can save to a file the packets within the TCP stream
> you've followed.
>
> > 2) .. and then I would like to determine the min,max,average delta time
> > between packets in all the TCP streams?
>
> Unfortunately, Ethereal doesn't have any tool to generate statistics
> such as that; however, there may be tools out there that can read
> capture files in libpcap/tcpdump format (which is the default format for
> Ethereal) and generate statistics such as that.