By "captured line", I am referring to the lines under "No" in the heading.
Yes, that is a link-layer frame.
Yes, there is more than on iSCSI PDU in a TCP segment.
Yes, they are all dissected as you suggest. As I pointed out, it is
difficult to scan for particular PDU's that way.
Yes, only the first PDU is described in the Info column of the display.
Eddy
-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxxxx]
Sent: Tuesday, September 16, 2003 3:45 PM
To: Eddy Quicksall
Cc: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] finding iSCSI PDUs
On Sep 16, 2003, at 12:11 PM, Eddy Quicksall wrote:
> It is sometimes hard to find all iSCSI PDU headers with Ethereal. The
> reason is that some captured lines will contain several headers but
> only the first header is displayed.
What do you mean by a "captured line"? Do you mean a captured
link-layer frame?
If so, do you mean that there's more than one iSCSI PDU in a TCP
segment? If so, then, although not all of them would necessarily be
displayed in the summary line for the frame, all of them should be
dissected in the protocol tree display (the middle pane of the
display). By "only the first header is displayed", do you mean only
the first PDU is described in the Info column of the display?
> Given that, I would like to write a program to extract all packets
> for port 3260 and pick out all PDU headers.
>
> Does anyone know where I can look to see the format of an Ethereal
> file (I'm using Windows XP)?
The format of an Ethereal capture is libpcap format; files in that
format can be read by libpcap/WinPcap. See the documentation for
WinPcap at
http://winpcap.polito.it/docs/man/html/index.html
Note, however, that to find the iSCSI PDU headers, your program will
have to do all the work that Ethereal does....