On Wed, May 30, 2001 at 12:58:29PM -0400, kai-ethereal-trap@xxxxxxxx wrote:
> I've missed this for some time: is there a way to get relative,
> rather than (bulky, virtually unreadable by a human) absolute
> TCP sequence numbers in dumps from (t)ethereal? (in particular
> tethereal, as screen space is always at a premium with vt100
> terms). tcpdump does this by default,
...relative to the first sequence number it sees, rather than
necessarily relative to the beginning of the conversation, as there's no
guarantee you'll see the initial SYN of the conversation.
Note also that, to do that, tcpdump needs to allocate a data structure
for every TCP connection it sees; at least at one point there was a
discussion in tcpdump-workers of a denial-of-service problem wherein one
could provoke tcpdump into running out of memory (I forget whether this
was merely stated as a hypothetical problem or if it was a real
problem).
On the other hand, at some point, we will probably have the TCP
dissector keep track of duplicate data and provide an in-order byte
stream to dissectors running above it, which would require a data
structure per connection in any case - I suspect that if you care about
DoS problems in network analyzers you should do a capture to a file and
then, when analyzing the capture, turn fancy TCP processing off if
leaving it on causes you to run out of memory.
In any case, Ethereal does not currently have code to provide relative
sequence numbers (and note that somebody reported a problem with
tcpdump's code to do so, a while ago; I forget the details, but have
some code that may handle some of it, but I think it needs more work -
i.e., just lifting tcpdump's code right now may not be the right idea).
It would probably be a useful feature to add at some point, but unless
somebody contributes code to implement it, it probably won't appear
soon.