Re: Generation of display filter based on a field in the pcap

[Abhik Sarkar <sarkar.abhik () gmail com>]

Hi Rohit,

I think what you are looking for is MATE (http://wiki.wireshark.org/Mate).

HTH
Abhik

On Sat, Jun 5, 2010 at 8:55 PM, Rohit Mediratta <rohit_medi () hotmail com>wrote:

>  The relation between packets is as follows.
>
> 1. Packet A is a request to setup a session. This packet has a unique
> "request tunnel Identifier" and a "requestIndex".
> 2. Packet B is a reply, this packet is tunneled with the "request tunnel
> Identifier" and contains a "reply tunnel Identifier"
> 3. Packet C is subsequent request packet which is tunneled with "reply
> tunnel Identifier"
> 4. Packet D is a subsequent reply packet which is tunneled with "request
> tunnel Identifier".
>
> NOTE: "tunnel Identifier" are unique in a single direction only, so there
> is no algorithmic correlation between the "request tunnel Identifier" and
> "reply tunnel Identifier".
>
> I am looking to generate a view for all packets which are related to the
> "requestIndex".
> I am open to the idea of editing the dissectors to achieve this.
>
> Any ideas/pointers would be very useful.
>
> thanks,
> Rohit
>
> > Date: Sat, 5 Jun 2010 12:25:55 +0200
> > From: jaap.keuter () xs4all nl
> > To: wireshark-dev () wireshark org
> > Subject: Re: [Wireshark-dev] Generation of display filter based on a
> field in the pcap
> > On 06/05/2010 11:37 AM, Rohit Mediratta wrote:
> > > Hi,
> > > I am trying to generate a display filter which is based on the the
> value
> > > of a TLV within the pcap.
> > > Let me provide an example of a display filter I am trying to generate
> in
> > > the pcap that I have.
> > >
> > > 1. Packet A has a TLV with value1 and another TLV with value2.
> > > 2. Packet B has a TLV with value2 and a TLV with value3.
> > > 3. Packet C has a TLV with value3.
> > > 4. Packet D has a TLV with value2.
> > >
> > > I'd like my display filter to be
> > > "special_display_filter == value1"
> > > When I apply this filter, I'd like all 4 packets to be displayed.
> > >
> > > This is, ofcourse, my view of how I can achieve this. If there is
> > > another methodology to achieve my aim of displaying all packets related
> > > to Packet A, then please enlighten me.
> > >
> > >
> > > My final goal is to update the flow_graph to view all 4 packets, when I
> > > select "packet flow for any packets related to Packet A". If someone
> can
> > > provide any pointers/hints that would be useful.
> > >
> > > thanks in advance,
> > > Rohit
> >
> > Hi,
> >
> > What's the relation between packet A, B, C and D? How do you identify
> this
> > relation from the packets? Your display filter now will only match packet
> A.
> > Thanks,
> > Jaap
> ___________________________________________________________________________
> > Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org>
> > Archives: http://www.wireshark.org/lists/wireshark-dev
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> > mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe