Wireshark · Ethereal-dev: [Ethereal-dev] RE: TCP sniffing using Tethereal

Ethereal-dev: [Ethereal-dev] RE: TCP sniffing using Tethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Gilad Evrony" <gevro@xxxxxxx>

Date: Sat, 16 Apr 2005 01:17:20 +0200

To clarify:
In windump it is possible to sniff only according to a few basic things such
as port, ip, mac address etc., without having to start dealing with offsets.
And once you want to filter according to a field which doesn't always appear
at the same offset, it's impossible. Ethereal/Tethereal on the other hand
does allow you to do this using it's display filters. It also is much more
intuitive.
However, capturing with ethereal's display filters (with tethereal) only
captures the specific packet that matches the display filter. But it would
be much more powerful to capture the whole TCP/UDP session that one of its
packets matched that read filter, instead of just the specific packet that
matched it. That way, when I sniff my computer for a URL, I won't capture
only the packet with the GET for that URL, but rather, the whole session.
In short, I'm proposing to add a stateful capability to tethereal, instead
of its currently stateless implementation. 

My other idea was to add a function to ethereal to decode all the packets of
a capture file into all the different TCP/UDP sessions that were captured,
instead of just one by one using the "follow TCP stream" function.

I'm sure some of you with much more in depth knowledge of ethereal could
implement this in shorter time than I could.


--------------------------------------
    * Subject: Re: [Ethereal-dev] TCP sniffing using Tethereal
    * From: Ulf Lamping <ulf.lamping@xxxxxx>
    * Date: Thu, 16 Sep 2004 19:22:18 +0200

Gilad Evrony wrote:


    I think it would be a very powerful tool to be able to use ethereal's
read filters to sniff whole TCP/UDP sessions. 


What do you mean with a read filter? A capture or a display filter?


    That way, when a packet matches my filter, not only is it saved to disk
but also the whole TCP/UDP session it belongs to. 


Do you mean to save all session into different files while capturing?


    Also, it would be nice if the etheral could create all the TCP/UDP
streams in a file, rather than having to click one by one (Iris
    does this pretty well). 


Create streams in a file?


    If anyone knows how to do this or can advise me how I'd appreciate it. 


Please give a little more details of your thoughts, your descriptions are
very short.

Regards, ULFL

Follow-Ups:
- Re: [Ethereal-dev] RE: TCP sniffing using Tethereal
  - From: Ulf Lamping

Prev by Date: [Ethereal-dev] Buildbot crash output
Next by Date: [Ethereal-dev] get a signed number from tvb
Previous by thread: Re: [Ethereal-dev] Fuzz-testers needed
Next by thread: Re: [Ethereal-dev] RE: TCP sniffing using Tethereal
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$