Ethereal-users: Re: [Ethereal-users] Auto Falgging]

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Ian Schorr <spamcontrol2@xxxxxxxxxxx>
Date: Tue, 15 Jul 2003 20:06:11 -0400
Easy to do in Ethereal provided that you can build a filter that will match the symptom or event that you're looking for. I do this all the time to find interesting events.
To use your example, you'd do this to mark all TCP ACKs that took longer than 50ms to occur in a red text (bold or not-bold isn't possible, I don't believe, except as an application-wide preference):
First, make sure you can filter on tcp acknowledgement times by enabling TCP sequence number analysis under Preferences->Protocols->TCP. Go to Display->Colorize Display (which won't be an option until you have a capture loaded) 
Click "New"
Name:  <Anything you want, let's say "TCP Ack > 50ms">
String: tcp.analysis.ack_rtt > .05
Click "Foreground Color" and set the color to red.  Hit OK.
The text in the boxes should change to preview what the text in your matching frames will look like. Remember to Save if this is something you want to keep on all the time, then hit OK again.
I actually tend to use background colors (red, green, etc) when marking interesting events since they're better visual cues as I'm walking through a trace. (For example, I usually have a "tcp.analysis.flags" color filter set with a pure red background and pure white text, though sometimes that marks TOO much).
Remember also that color filters are processed in order, and the first matching color filter is the one used. For example, if you have a color filter of "tcp" already set to mark all TCP segments blue, let's say, and your "interesting event" filter from above ends up being lower in the list, then your "interesting event" frames will be marked blue, not red.
This is one of the most powerful features (as a direct result of filters being so powerful). I guarantee Fluke doesn't give you this level of control, though they may be able to mark a few more "diagnosed events" than Ethereal is able to... 

Ian

Mark Holloway wrote:


I'm wondering if there is a way to have ethereal flag certain packets
after a capture.  For example in Fluke Protocol Expert I can tell it to
flag packets that are longer than 50ms ack times.  When I'm done with
the capture I know that whatever is in bold red is +50ms.  It makes it
easier for me when I need to print out a capture and review it with
other engineers.  This is not a really important thing, but would be
nice. Thanks. 
Regards,
Mark Holloway
Sr. Network Engineer - Arclight Systems
702-253-3861 // mobile 702.349.6170

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users