On Sep 16, 2003, at 12:11 PM, Eddy Quicksall wrote:
It is sometimes hard to find all iSCSI PDU headers with Ethereal. The
reason is that some captured lines will contain several headers but
only the first header is displayed.
What do you mean by a "captured line"? Do you mean a captured
link-layer frame?
If so, do you mean that there's more than one iSCSI PDU in a TCP
segment? If so, then, although not all of them would necessarily be
displayed in the summary line for the frame, all of them should be
dissected in the protocol tree display (the middle pane of the
display). By "only the first header is displayed", do you mean only
the first PDU is described in the Info column of the display?
Given that, I would like to write a program to extract all packets
for port 3260 and pick out all PDU headers.
Does anyone know where I can look to see the format of an Ethereal
file (I'm using Windows XP)?
The format of an Ethereal capture is libpcap format; files in that
format can be read by libpcap/WinPcap. See the documentation for
WinPcap at
http://winpcap.polito.it/docs/man/html/index.html
Note, however, that to find the iSCSI PDU headers, your program will
have to do all the work that Ethereal does....