On Wed, Nov 22, 2000 at 12:21:20PM -0600, McNutt, Justin M. wrote:
> I looked through the man page and the TODO list (found out that changing the
> protocols in the capture stats window is in the TODO list), but didn't find
> what I was looking for.
>
> The protocol statistics that give protocol-specific percentages are quite
> useful, and would be *very* useful if ethereal could run infinitely.
> Suppose all the actual packets went to /dev/null, but the packet-type
> statistics were still kept. Makes a very handy long-term protocol analysis
> tool
I.e., you want all of Ethereal except for the part that dissects
packets? :-)
That might be a useful program, but I'm not sure it needs to be part of
Ethereal; the statistics shown in the capture window are - quite
intentionally - fairly limited (the idea is that you don't want to do
any dissection past the transport layer while you're capturing, as doing
more dissection work to figure out the protocols used *above* the
transport layer could significantly increase the CPU requirements), so
it's not clear how much of Ethereal's code would actually be useful.
A more detailed breakdown, showing how much of the traffic was HTTP and
how much was NFS and how much was SMTP and so on, might be useful, and
(especially if it does *all* the analysis that Ethereal does, including
the heuristic tests, watching traffic for protocol A to see if it's
saying that a subsequent connection will be using protocol B, etc.), and
*would* use the Ethereal dissection code, but I'm not certain you'd want
that by default during a regular Ethereal capture.
> (the age-old Network General Sniffer did this, although it wasn't that
> great for protocol break-down).
Actually, the Sniffer did a pretty decent job of analyzing NFS traffic,
when I used it at Connectathons, as I remember.