Eddy Quicksall wrote:
>It is sometimes hard to find all iSCSI PDU headers with Ethereal. The reason
>is that some captured lines will contain several headers but only the first
>header is displayed. Given that, I would like to write a program to extract
>all packets for port 3260 and pick out all PDU headers.
>
>Does anyone know where I can look to see the format of an Ethereal file (I'm
>using Windows XP)?
I think that it would be good to be able to dump each reassembled PDU separately in some way.
Loic Minier has written some code to dump PDUs for certain protocols.
http://www.ethereal.com/lists/ethereal-users/200308/msg00013.html
http://www.ethereal.com/lists/ethereal-dev/200308/msg00045.html
I have not looked so close on his solution, but I had already made a very small change to the TPKT dissector so that I could
get each reassembled TPKT PDU dumped as octets when making a printout (print to file with hex octets from Ethereal or Tethereal).
I the use a separate program to parse the printout and prepare a file with each reassembled TPKT PDU separately.
http://www.ethereal.com/lists/ethereal-users/200308/msg00014.html
It was the add_new_data_source that solved the problem in my case.
add_new_data_source(pinfo,my_tvb,"TPKT-DATA")
For each PDU I get the "TPKT-DATA" header followed by the hex data for that PDU, i.e. something like below.
TPKT-DATA
0000 a3 71 10 21 1a 45 10 27 12 00 1f 10 23 10 17 20 XXXXXXXXXXXXXXXXX
0010 78 af 10 72 XXXX
TPKT DATA
0000 74 78 af 10 27 10 XXXXXX