Hello,
I use following Version of tethereal:
(tethereal -v
tethereal 0.9.11, with GLib 1.3.2, with libpcap (version unknown), with libz
1.1.4, with Net-SNMP 5.0.6, running on Windows NT 4.0 Service Pack 5, build
1381)
I have some questions on tethereal / ethereal:
1.) Why is ethereal / tethereal not capable to capture more than 10
tracefiles in ringbuffer mode ?
2.) When I capture in ringbuffer mode (e.g. tethereal -a filesize:2000 -b 7
-w outfile) I get only one tracefile when I stop
the capture (with CTRL + C Buttons).
How can I get the files all separated e.g outfile_00, outfile_01, ...,
outfile_n ? (such separate outfiles are listet in
the capturedirectory when the capture is running)
This is because I want to capture a high volume of traffic e.g. traffic
of a whole day. If will be capable to set the
file numbers to 1000 and filesize to 32 Mbyte so I would be
able to do such long captures.
3.) Is it able to limit the capturefiles in tethereal with an packetcount
option like in Ethereal (Capture linits > stop
capture after "n" packet(s) captured ?)
4.) Why is the packetcount option to limit a capture in ethereal but not in
tethereal ? I thought all such "global" options
would be the same in ethereal and in tethereal.
5.) I tried following command tethereal -r <infile> -z
"proto,colinfo,ip.proto == 6,tcp.nxtseq"
but I get following output: 00:02:37.966848 2.321526 85
199.105.181.41 -> 1.40.34.164 TCP 8292 > 8277 [PSH, ACK]
Seq=1435071514 Ack=1702498735 Win=8192 Len=27
With this command I should get the tcp-next-seq number to each packet
output.
What is wrong ? I thought it was the filter expression "ip.proto == 6"
but I also tried the
tethereal -r <infile> -z
"proto,colinfo,frame.pkt_len>10,frame.pkt_len" which works.
So I also tried: tethereal -r <infile> -z
"proto,colinfo,frame.pkt_len>10,tcp.hdr_len"
and there was no tcp.hdr_len field present on the output (==> so it
could not be a wrong filter)
Do I use the command wrong ? (I want to get some Information printed in
the output e.g. TCP-Flags or tcp.nxt_seq)
6.) I tried to make an error analys on a Tracefile, so I used the following
command:
tethereal -r <infile> "-R tcp.checksum_bad == 1"
tethereal -r <infile> "-R tcp.checksum_bad == 0"
==> there was no output of any Frame. (I also checked for TCP-Frames in
Infile)
Solution was to enable on GUI (ethereal > preferences > TCP > enable
analyse TCP sequence number)
Is there a preferences file where I can do such configurations in
command line mode ?
Do you have any documentation on such features, like in the preferences
file ?
7.) How can I use the tcp.analysis.* parameters ?
Some of them have boolean values so I can use them in Filters (like in
Question 6)
Some analysis parameters have no values. How can I use that parameters,
or how is tcp.analysis.* used normally?
Best Ragards
Alois Heilmaier