On Sun, 30 Mar 2003, Guy Harris wrote:
> On Sun, Mar 30, 2003 at 12:32:10PM -0600, emre wrote:
> > The Forget button appends the negation of the current filter to the
> > previous filter,
> > processes the filter, and Closes the TCP stream window.
> >
> > This enables a relatively painless exhaustive examination of multiple
> > TCP stream content.
>
> So how would this button be used?
The story is.. I have a weeks worth of tcpdumps for a network with a
host that was compromised by an attacker. I used tcpdump to isolate
the specific host and each foreign ip. Now I examine all the flows
interactively. I bring up 'ethereal' for each file.
I see TCP activity, I view the flow (Follow TCP stream), make my notes,
then I want to look at the next flow. So by using the 'forget' button,
which 'appends the negation of the current filter to the previous
filter', I see everything I haven't 'forgotten' yet, in the main packet
header window. Repeating this procedure for each remaining TCP flow, I
can know that I haven't missed any. Before I added this button, I had
to try to note packet numbers, etc, and with multiple simultanious flows
between the ip-pairs, I often wasted time bring up the same flow, and I
was never quite sure I hadn't missed looking at some flows.
e.
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
