Ethereal-users: Re: [Ethereal-users] Calculate Time Difference for each SYN-SYN/ACK pairs
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Lim Boon Ping <syseeker@xxxxxxxxx>
Date: Mon, 2 May 2005 01:12:54 -0700 (PDT)
Hi,
:) The error message shows that "GopDef: Pdu 'tcppdu' does not exist in tcp.mate:18". At line 18, I changed On=tcppdu to On=tcp. Ethereal works properly!
However, tethereal doesn't append any extra info provided by Mate. I key in a few commands as shown below, but nothing is shown after the default column info (mate.tcp_ses.Duration is expected). :| .
tethereal -r mylogfile.pcap -z proto,colinfo,mate.tcp.synack,mate.tcp_ses.Duration > output.txt
tethereal -r mylogfile.pcap -z proto,colinfo,tcp.flags==0x12,mate.tcp_ses.Duration > output.txt
A test of entering --> tethereal -r mylogfile.pcap -z proto,colinfo,tcp.flags==0x12,tcp.flags > output.txt
produces correct output, "tcp.flags == 0x12" is shown after default column info of every SYNACK packet.
Looking forwards for some hint to overcome this last obstacle! :) . Thanks.
regards,
Jocelyn
LEGO <luis.ontanon@xxxxxxxxx> wrote:
Hi,
could you add:
Action="" Debug_Cfg=5;
as the first line of the file open it with tethereal and then send me
the console output.
Thanks
On 5/1/05, Lim Boon Pingwrote:
> Hi Luis,
>
> Thanks for you reply. :).
>
> This link
> http://www.ethereal.com/distribution/buildbot-builds/ethereal-setup-0.10.9-SVN-13430.exe
> at http://wiki.ethereal.com/Mate_2fGettingStarted seems to
> be broken, I couldnt manage to download.
>
> Due to the above obstacle, I downloaded Windows version of
> ethereal-setup-0.10.10.exe. Unfortunately, ethereal quit immediately i hit
> 'Apply' after setting configuration filename at Preferences->mate. And
> subsequently I am never able to open ethereal. I tried to reinstall
> ethereal, and the same error occurs.
>
> Next, I tried to run from command prompt by entering
>
> tethereal -o 'mate.config_filename:tcp.mate' -r mylogfile.pcap -z
> proto,colinfo,'mate.tcp_ses.Duration',mate.tcp.synack
>
> However, it returns ---> tethereal: -o flag
> "'mate.config_filename:e:\tcp.mate'" specifies unknown
> preferences.
>
> Refer to the ethereal's preferences log file, i found the below:
>
> # The name of the file containing the mate module's configuration
> # A string.
> mate.config: e:\tcp.mate
>
> Well, changing from mate.config_filename to mate.config still yield the
> same error. And ethereal works properly after commenting this line. :|
>
> I am rather interested to try out this experimental version, looking forward
> your reply. :)
>
> Regards,
> Jocelyn
>
>
>
>
>
>
> LEGOwrote:
> MATE (http://wiki.ethereal.com/Mate) can help for this.
>
> bellow you'll find a mate config to measure syn-syn/ack.
>
> with:
> tethereal -o 'mate.config_filename: tcp_setup.mate' -r your_file.pcap
> -zproto,colinfo,'mate.tcp_ses.Duration' mate.tcp.synack
>
> you'll get an extra column containing the elapsed time between syn and
> syn/acks.
>
> Excell (or something similar) can do the rest.
>
> Luis.
>
> # tcp_setup.mate
> # First you need to create a tcp pdu extracting the data you need
> Action="" Name=tcp; Proto=tcp; Transport=ip; addr=ip.addr;
> port=tcp.port; tcp_syn=tcp.flags.syn; tcp_ack=tcp.flags.ack;
>
> # we won't deal with tcp pdus that have no syn
> Action="" For="" tcp_syn=1;
>
> # then we'll "mark" the pdus
> Action="" Name=syn_synack; tcp_syn=1; tcp_ack=1; .synack;
> # if syn/ack matches MATE will stop so the syn/ack won't be marked as syn
> Action="" Name=syn_synack; tcp_syn=1; .syn;
>
> # we apply the transform
> Action="" For="" Name=syn_synack;
>
> # then we need to group syn and syn/acks
> Action="" Name=tcp_ses; On=tcp_pdu; addr; addr; port; port;
>
> # then we'll start a group at syn and stop at syn/ack
> Action="" For="" syn;
> Action="" For="" synack;
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
- Prev by Date: Re: [Ethereal-users] Building Custom Filter Strings
- Next by Date: RE: [Ethereal-users] unable to capture on any interface
- Previous by thread: Re: [Ethereal-users] Calculate Time Difference for each SYN-SYN/ACK pairs
- Next by thread: [Ethereal-users] Building Custom Filter Strings
- Index(es):