> > Knows anyone out there a way to disable all protocol
> decodings (hotkey?)
> > so that I can press only the few buttons I need?
>
> Just out of curiosity, why do you want to disable the
> dissectors for the
> majority of the protocols?
>
> Perhaps there is some other deficiency in Ethereal that
> you're trying to
> work around, in which case we may be able to fix that deficiency.
In ethereal, disabling all but a few dissectors would vastly improve the
parsing time of very large (>50000 packet) captures if you're looking for
something specific like AIM, but still allow you to see the rest of the
packets (which you can't do with just a display filter).
In tethereal, it would *VASTLY* reduce the output of 'tethereal -V -r
capture.file' (which I use a lot).
For example, suppose I wanted to use ethereal (or easier, tethereal) to
figure out what percentage of my Internet traffic was AIM, and tell me
something about who was using it, etc. etc. I could do:
tethereal -i eth1 -w capture.file -c 10000
That would give me everything on my Internet connection (there's a box that
has a tap attached to eth1) for a sample of 10000 packets, which makes the
math easier.
Now, I want my Perl script to parse through the output of 'tethereal -V -r
capture.file' very quickly, and I want it to tell me how many AIM packets it
found (divide by 100 to get the percentage; same as times 100 divided by
10000), AND do extensive analysis on the AIM data, AND grab some trivial
information (top talkers) from the IP headers, and nothing else, and I want
it to run fast, and I want it to use a minimum of memory/disk space.
I can't just use capture filters because then I'll get 100% "usage rate".
Besides, I want statistics on the IP top talkers.
I can't just use display filters, because if I only display AIM packets, I
can't run top talkers stats on all the IP packets, and if I allow all the IP
packets, the packets will get decoded completely, and the size of the output
grows to a monstrous size.
HOWEVER, if I could tell it to decode the IP headers, and all the way down
into any AIM packet, then I'd still be able to run statistics on the top IP
talkers, have a reasonably short output (no TCP/UDP/Layer 7 decodes on most
packets), and have the AIM packets dissected, all in one pass.
I can see how there might be restrictions on how much it would actually
speed things up. For example, if I asked for all IP headers to be decoded,
and then I also ask for AIM, then [t]ethreal still has to look at least into
the next layer to see if the packet is an AIM packet or not, but at least I
won't get the decoded output for FTP, Telnet, HTTP, SNMP, and a zillion
other things. The shortened output of 'tethereal -V' alone would be a boon
to me.
Of course, my opinion is worth what you paid for it, and I'm perfectly
satisfied with ethereal the way it is (well, except for the frame[xx] eq
'stuff' bug, but you know what I mean). Just arguing the point for the sake
of discussion...
--J