Ethereal-users: Re: [Ethereal-users] Binary log question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Wed, 11 Jun 2003 23:41:43 -0700
On Wed, Jun 11, 2003 at 10:15:55PM -0600, Jerry M. Howell II wrote:
>    I was wondering. I used tcpdump to create a binary file. The file is
>    over 150 megs. When I try to open it ethereal crashes after it loads
>    10%. Is there a way to seperate say all trafic that comes form and is
>    dest. to a specific IP addie into another bin file?

You could do that with tcpdump:

	tcpdump -r {input file} -w {output file} ip host {IP address}

will, for example, read the specified input file and write to the
specified output file those packets in the input file that are going to
or from the specified IP address.

You can also do it with Tethereal:

	tethereal -r {input file} -w {output file} ip.addr=={IP address}

However, you may be making an assumption that isn't necessarily true -
namely that the problem with Ethereal is that the file is too big.

The problem might just be that there's a bug in Ethereal, in which case
filtering out the traffic to or from a particular IP address might help
(in which case that has nothing to do with reducing the size of the
capture, it just means that the traffic that triggered the Ethereal bug
didn't happen to be going to or from that IP address) or it might *not*
help (if the traffic that triggered the bug *was* going to or from that
address).

Before you do any filtering, you should first

	1) make sure you're running the latest version of Ethereal, if
	   possible (the latest version is 0.9.13, which was just
	   released today - the Windows installer for it is available
	   now; for UNIX, you'll probably have to download source and
	   recompile, unless and until 0.9.13 binaries are built for
	   your platform);

	2) attempt to get a stack trace from the crash, using a debugger
	   (if you're on UNIX, you might have GDB or a vendor's
	   debugger; I'm not sure how to get a stack trace on Windows)
	   and send it to the ethereal-dev mailing list (when I say
	   "stack trace", I mean the text output of the debugger, *NOT*,
	   for example, a UNIX core dump file, which isn't useful to
	   anybody not running on your platform, and might not even be
	   useful to somebody running on your platform unless they have
	   your Ethereal binary *AND* your version of the OS).

If this is an Ethereal bug, simply working around it rather than sending
us enough information to at least attempt to figure out what the problem
is and fix it means that it's more likely some other user will see the
same problem in the future.