Re: [Ethereal-users] Re: Re: Re: again: Follow TCP Stream decoder plugins

[Guy Harris <gharris@xxxxxxxxx>]

Fulcrum wrote:

> hi, what do you mean "by saving the Ethereal preference settings"? of
> course I save the re-assemble protocol preference, it can only help
> me to view target packets, but in this way, every time I need to open
> a large packets file which cost so long time ...
>
> I have a large .cap file, and I use filter "mmse" to select all my
> needed packets which are all re-assembled. I want to I can save this
> re-assembled packets into a new file, then I can open that new file
> quickly every time. but when I use "save as", I can't get a desired file. 

What you want is to have the packets that were reassembled saved into a 
file.  There's no mechanism to save the data as reassembled packets, and 
there probably won't be any such mechanism any time soon (the file 
formats are oriented towards saving link-layer packets, as I mentioned).

What might be possible would be a way to have the system keep track of 
all the packets that went into a file, so that if you were to save a 
packet that was the last packet in some reassembled higher-level packet, 
all the other packets that were part of that higher-level packet would 
be included.

Unfortunately, this might not be enough for TCP, as TCP segment 
boundaries don't necessarily correspond to higher-level packet boundaries.

Would doing "Follow TCP Stream" to display only the packets in that 
connection, and then saving only those packets, reduce the number of 
packets in the file a sufficient amount to make a difference?