Emre wrote:
>The Forget button appends the negation of the current filter to the
>previous filter,
>processes the filter, and Closes the TCP stream window.
>
>This enables a relatively painless exhaustive examination of multiple
>TCP stream
>content.
>
Seems to be something that could be useful. Will the display filter string not be too long after a while
if you apply this several times for a certain capture? I don't know how long the filter strings can be.
I'm mainly looking for a possibility to see a summary of all TCP streams (and UDP and ...) in a separate window and to press a filter button to filter out a specific connection (or maybe even a combination of streams), similar to the functionality "Connections" in Packetyzer (www.packetyzer.com).
In Tethereal there is the IO-Users functionality ("TopTalkers").
I was thinking of looking how difficult it is to port this to Ethereal and maybe add some filtering
buttons and so on. However I don't think I will have so much time for that in the next two weeks or so
and I'm also new to GTK.
Example:
========
tethereal -r infile.pcap -R "not eth" -z io,users,tcp
IO-USERS Statistics
Type:tcp
Filter:<No Filter>
| <- | | -> | | Total |
| Frames Bytes | | Frames Bytes | | Frames Bytes |
10.89.141.132:1063 <-> 10.119.92.50:80 48 48903 20 8053 68 56956
10.89.141.132:1062 <-> 10.119.92.50:80 44 45193 20 8016 64 53209
10.89.141.132:1060 <-> 10.119.92.50:80 56 78215 1 394 57 78609
10.89.141.132:1061 <-> 10.119.92.50:80 33 32699 17 6838 50 39537
10.89.141.132:1064 <-> 10.119.92.50:80 30 29726 16 6422 46 36148
10.54.131.142:80 <-> 10.89.141.132:1049 10 4023 25 29381 35 33404
10.89.141.132:1047 <-> 10.46.226.41:80 23 34030 1 324 24 34354
