Wireshark · Ethereal-users: [Ethereal-users] Question on flow of frames directly into Ethereal

["Didier" <di07s@xxxxxxxx>]

Question on flow of frames directly into Ethereal

======================================

 

Hi,

 

    I'm a new user of ethereal, it is a very good sniffer tool. Thanks to all the developers for it.

    I have impressed by the "flow graph" functionality that I find very useful to have an idea of what's happening at a glance.

    My questions is similar to this "flow graph" feature but inside the main window of ethereal

 

    Has anybody find a way in Ethereal itself to have a "color rule" that would display directly into Ethereal window for instance ?

               - a brown background for all the frame which are a retransmission of the selected frame

               - a dark blue background for all the frame (all because there may be restransmission of the answer) which are an answer of the selected frame

               - a light blue background for all the frame (all because there may be restransmission of the query) which are a query of the selected frame

  

    Naturally

       I would like that the colors frames change diffently as long as we move from the selected frame to another one.

       I would like also that we get results for  TCP  and   UDP

   

 

 

 

For TCP connection for instance

    Frame 10 :        IP_A      IP_B   (ip.id=89   seq=1   ack=5   next_expected_seq=2)     --->     A query (see seq/ack) of the selected frame  (light blue)

    ...

    Frame 20 :        IP_A      IP_B   (ip.id=89   seq=1   ack=5   next_expected_seq=2)     --->     A retransmission of the query (see seq/ack) of the selected frame  (light blue)

    ...

    Frame 30 :        IP_B      IP_A   (ip.id=23   seq=5  ack=2  next_expected_seq=6)        --->     The selected frame  (black)

    ...

    Frame 40 :        IP_B      IP_A   (ip.id=23   seq=5  ack=2  next_expected_seq=6)        --->     A retransmission of the selected frame  (brown)

    ...

    Frame 50          IP_A      IP_B   (ip.id=90   seq=2  ack=6  next_expected_seq=2)       --->     An answer (see seq/ack) of the selected frame  (dark blue)

    ...

    Frame 60          IP_A      IP_A   (ip.id=90   seq=2  ack=6  next_expected_seq=2)       --->     A retransmission of the answer (see seq/ack) of the selected frame  (dark blue)

    

 

 

 

 

 

For UDP connection

    Frame 10 :        IP_A      IP_B   (data 1=dns query)     --->     A query (exist only if the selected frame is the answer) of the selected frame  (light blue)

    ...

    Frame 20 :        IP_A      IP_B   (data 1=dns query)     --->     A retransmission of the query (exist only if the selected frame is the answer) of the selected frame  (light blue)

    ...

    Frame 30 :        IP_B      IP_A   (data ="" query/answer)        --->     The selected frame  (black)

    ...

    Frame 40 :        IP_B      IP_A   (data ="" query/answer)        --->     A retransmission of the selected frame  (brown)

    ...

    Frame 50          IP_A      IP_B   (data 2=dns answer)       --->     An answer (exist only if the selected frame is the query)  of the selected frame  (dark blue)

    ...

    Frame 60          IP_A      IP_A   (data 2=dns answer)       --->     A retransmission of the answer (exist only if the selected frame is the query) of the selected frame  (dark blue)

 

 

 

 

 

 

 

 

    If it is not done and a developer wants to do it, may be to improve performance we could make check only the 500 frames around (downward/upward the selected frame or the frame which has been seen as a retransmission).

 

    May be there is an _expression_ that do that, I haven't found it otherwise this need may be solved by 3 new expressions

         selection-retransmission

         selection-query

         selection-answer

 

 

   

 

 

    Thanks a lot for any help

 

 

NB: Sorry for my poor english, I'm French

 

 

Didier