On Tuesday, July 15, 2003, at 4:38 PM, Mark Holloway wrote:
I'm wondering if there is a way to have ethereal flag certain packets
after a capture.
That question is too broad, as the answer to a fairly literal
interpretation of the question, i.e. "is there a way to get Ethereal to
somehow mark packets with certain characteristics" is "yes" for some
characteristics, but they might not be the characteristics in which
you're interested.
For example in Fluke Protocol Expert I can tell it to
flag packets that are longer than 50ms ack times. When I'm done with
the capture I know that whatever is in bold red is +50ms.
In that particular case, the answer is "yes" if by "packets that are
longer than 50ms ack times" you mean "ACK packets whose time stamp is >
50ms later than the time stamp of the packet they're ACKing", if you
turn on the "Analyze TCP sequence numbers" option and use a color
filter that colors packets for which the filter "tcp.analysis.ack_rtt >
.05" is true. (If you turn off that option, that filter will not be
true for any packets.)
It's currently not true, however, if you mean the packet being ACKed;
the TCP analysis (which should arguably be called something other than
"Analyze TCP sequence numbers" as it now does more than that) doesn't
put the time-to-ack into the protocol tree as a property of the ACKed
packet, it only puts it into the protocol tree as a property of the
ACKing packet.