Ethereal-users: Re: [Ethereal-users] IP Identification number

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Fri, 4 Apr 2003 16:40:21 -0800
On Fri, Apr 04, 2003 at 04:25:32PM -0800, Ben Carter wrote:
> If this question has already been answered I apologize for my inability
> to find it in the mailing list archives or the FAQ.. 
>  
> Is it possible to display the IP identification number in the main
> display?

There is no mechanism for doing that, although there is a tap mechanism
to allow arbitrary fields to be shown in the summary output in
Tethereal:

	hostname$ man tethereal

		...


	     -z	 Get Tethereal to collect various types	of statistics and
		 display the result after finishing reading the	capture
		 file.	Currently implemented statistics are:

			...

		 -z proto,colinfo,filter,field

		 Append	all field values for the packet	to the COL_INFO
		 information line.  This feature can be	used to	append
		 arbitrary fields to the COL_INFO line in addition to the
		 normal	content	of the COL_INFO	line.  field is	the
		 display-filter	name of	a field	which value should be
		 placed	on the COL_INFO	line.  filter is a filter string
		 that controls for which packets the field value will be
		 presented on COL_INFO line. field will	only be	presented
		 on the	COL_INFO line for the packets which match filter.
	
		 NOTE: In order	for tethereal to be able to extract the
		 field value from the packet, field MUST be part of the
		 filter	string.	If not,	tethereal will not be able to
		 extract its value.

		 For a simple example to add the "nfs.fh.hash" field to
		 COL_INFO for all packets containing the "nfs.fh.hash"
		 field,	use

		 -z proto,colinfo,nfs.fh.hash,nfs.fh.hash

		 To put	"nfs.fh.hash" on COL_INFO but only for packets
		 coming	from host 1.2.3.4 use :

		 -z "proto,colinfo,nfs.fh.hash &&
		 ip.src==1.2.3.4,nfs.fh.hash"

		 This option can be used multiple times	on the command
		 line.

> This will be very helpful when examining UDP video streams for
> missing packets (these packet captures can be 120,000+ packets).
> Better yet, is there any way ethereal can raise some sort of flag when UDP
> packets arrive out of order or are missing? 

Given that there is no notion of "out of order" or "missing" UDP packets
- UDP has no sequence number to allow an order to be determined or to
indicate that there are gaps in traffic - no, there is no way it, or any
other program that deals with captured network traffic, could ever do so
for arbitrary UDP packets.

It might be possible for dissectors for particular protocols running *on
top of* UDP to do so if *those* protocols had some form of sequence
number.  However, no such dissector has, as far as I know, any feature
such as that.