Re: [Wireshark-dev] Splitting one packet into multiple packets

Thu, 24 Feb 2011 12:39:26 -0800 

Roland,

Do you want to see the following:

-- FRAME 1
-- ETHERNET II FRAME
-- IP FRAME
-- UDP FRAME
-- MY PROTOCOL FRAME 1/4

-- FRAME 1
-- ETHERNET II FRAME
-- IP FRAME
-- UDP FRAME
-- MY PROTOCOL FRAME 2/4

etc?

Why that? Do yo have a post processing step that relies on this? wireshark is a 
protocol analyzer and as such its all about 'frame in frame in frame'.

David

Am 24.02.2011 09:31, schrieb Roland Knall:

Hello

I have the following situation. The trace identifies (correctly)
packets I am interested in. These packets come from a device, which
collects packets, puts them together into one udp frame, and sends
them over the network. Right now I trace the udp payload, and call the
packet dissector for my packet more than once, which will result in a
listing like this:

-- FRAME
-- ETHERNET II FRAME
-- IP FRAME
-- UDP FRAME
-- MY PROTOCOL FRAME
-- MY PROTOCOL FRAME
-- MY PROTOCOL FRAME
-- MY PROTOCOL FRAME


I would like to be able to put those protocol frames each in a single
row, so that instead of having one chunked up row like the one above,
I have (in this case) 4 packets, each with a single protocol frame.

I figured there are 2 ways of achieving this:

1. Use a DisplayFilter - but so far I have not found a solution using
this approach. I would prefer it, but understand if this would not be
feasible
2. Use some sort of CaptureFilter - which would require messing around
with libpcap/winpcap . The solution must be cross-platform.

Has anyone an idea how to achieve this with using just a
DisplayFilter, or could point me into a direction for where to change
an input filter.

btw, changing libpcap/winpcap should really be last resort.

kind regards, Roland
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list<wireshark-dev@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
              mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Reply via email to