My need is to have a pcap flow (coming from a named pipe, for example)
of the filtered / desegmented data.
To reach this, it seems to me that I could write a new option to ethereal,
that would buil a "fake" pcap of the desegement capture.
Is this acceptable ?
Thank you.
Pierre
Guy Harris wrote :
Pierre JUHEN wrote:
if a PDU is divided into more than 1 TCP packet,
how is the desegmented result output ?
- 1 global frame
- more than one frame
- only the last frame ?
"Output" in what sense?
Desegmentation has no effect on the binary "-w" output.
It does have an effect on the text output you get without "-w".
Tcpdump still prints each link-layer packet ("frame") separately.
The protocol layers from the link layer to the TCP layer are printed
for each of those frames. For the protocol running above TCP, the
desegmented data will be printed for the last frame only, although
if a TCP segment has, for example, all of one packet, followed by
the beginning of the next packet, the first packet will be printed
for the frame containing the segment, and the second packet will be
printed for the frame containing the last data in that packet.