Ethereal-users: RE: [Ethereal-users] define output in tethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Niklas Abrahamsson (KI/EAB)" <niklas.abrahamsson@xxxxxxxxxxxx>
Date: Wed, 23 Nov 2005 12:02:48 +0100
Is it possible to use several -z "proto,colinfo,xxxxx" in any way? It
would make things easier for me since that is what I wanted to get from
the beginning. 

I tried doing a -z "proto,colinfo,tcp.srcport" which naturaly works with
tcp packets and doesnt give an output on say udppackets. Would it be
possible to use both tcp.srcport and udp.srcport to get output?
For example:

-z "proto,colinfo,tcp.srcport" -z "proto,colinfo,udp.srcport" 

Would print out the srcport regardless of it being udp or tcp ?

If it was possible to do that then I wouldn't have to use the -V mode to
get the information I need which is basicly an output of:

"Arrival time, source addres, destination addres, protocol, source port,
destination port, packet length"

Most of these you get without using the -V mode but tethereal isn't
really consistent in the way it is displayed. And the portnumbers are
sometimes translated int to names like "http" or such, something I'm
just not interested in.


-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: den 31 oktober 2005 00:26
To: Ethereal user support
Subject: Re: [Ethereal-users] define output in tethereal

Niklas Abrahamsson (KI/EAB) wrote:
> Is there a reason why you can't define the output based on what fields
you want?

Because nobody's written and contributed code to do exactly that. 
(There is an option that's similar, "-z proto,colinfo"; see below.)

> With the filters already in place it seems like it shouldn't really be
a problem.
> 
> like the -R command except that instead of filtering out all the 
> packets the packets and getting an output of the whole packets that 
> corresponds to the filtering. with some usage like: -Display 
> "frame.pkt_len"

"-Display" wouldn't work all that well, at least as long as we're using
"getopt()", as that's equivalent to "-D -i -s -p -l -a -y".  It wouldn't
even work well with "getopt_long()", although "--display" would work in
that case.  (Switching to "getopt_long()" might be a Good Thing, as
UN*X's tradition of one-letter options only started getting a bit old
and tired a while ago.)

> which would then give you a list of only the packet lengths of all the

> packets in a dump-file that pass the additional filtering.

That works for "frame.pkt_len", but note that a packet could have more
than one instance of a given packet; what should it do if there's more
than one?

Note that you *can* do

	-z proto,colinfo,frame.pkt_len,frame.pkt_len

without "-V" to *add* the value of "frame.pkt_len" to the summary
output.  If there's more than one instance of a given field, it'll show
all of them.

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users