Andreas Sikkema wrote: >> But if there is tcp segmentation, you may not get all messages with >> that message type. > >The messages are not sent very fast. But they are quite small, I >have, however, not seen that much evidence of the Nagle >algorithm, so.... > >This has to run, if necessary, for weeks to see if a strange situation >occurs. > >If you have a better idea for a capture filter.... > >-
No, not a capture filter, but... You could maybe use a combination of a capture filter and a read filter (display filter) if you have a dissector (maybe a plugin) for your proprietary protocol and the dissector handles TCP desegmentation. You could maybe try something like the following: tethereal -f "host 10.0.0.13 and tcp port 7777" -R "myownproto.msgtype == 0x70" -w outfile.pcap e.g. a capture filter that captures only the TCP packets that are sent to or from the server combined with a read filter that filters the captured packets and only writes those packets that are matching the filter into outfile.pcap. However I haven't tried this myself for a similar scenario (running very long). Maybe tethereal will use more and more memory, so that you have to restart the capture sometimes.
