[Guy Harris <guy@xxxxxxxxxxxx>]

On Sep 18, 2003, at 12:23 PM, Krishna N. Ramachandran wrote:

>     I am interested in logging only certain fields in the ethereal log
> files. As an example, I may want to log only the IP Identification
> and IP length fields of all packets that I see. The motivation is to
> record only those fields I am interested in analyzing, in order to save
> space. Is this possible using tethereal?

That depends on what you mean by "ethereal log files".

It's not possible to do so in an Ethereal *capture* file.  A capture 
file contains raw packet data.

If, however, you don't write to an Ethereal capture file, and just 
write to a text file, it's almost possible:

	tethereal -r capture_file -z proto,colinfo,ip.id,ip.id -z 
proto,colinfo,ip.len,ip.len

to extract that information from an existing capture file, and

	tethereal -z proto,colinfo,ip.id,ip.id -z proto,colinfo,ip.len,ip.len 
ip

to capture on the default network interface (use "-i" to specify a 
different interface, as with any other type of Ethereal capture), with 
a filter that captures only IP packets.

I say "almost possible" because that still displays all the regular 
columns - it just happens to put
"ip.len == M" and "ip.id == N" (in that order) at the end of the Info 
column.