severity 616415 wishlist tags 616415 wonfix thanks Hi,
Editcap does not analyze the packets and it would not be practical to implement such feature in editcap. This feature could be implemented in Wireshark or in tshark, but we would need to implement arbitrarily complex filters. On the other hand one can write a Lua tap [1] which calculates the MD5 sum of the desired fields, store it, and mark the subsequent frames with matching MD5 sum. After having the obsolete frames marked one can save the not marked frames in a new capture file achieving what editcap can't do. Considering that the generalized problem can be solved by the proposed simple method I don't think that changing Wireshark/Tshark provide any benefit, hence the wontfix tag. If you feel that some functionality is missing from Wireshark, please ask [email protected] first, they may find a quick solution for your problem. Cheers, Balint [1]: http://wiki.wireshark.org/Lua/Taps 2011/3/4 Ph. Marek <[email protected]>: > Package: wireshark-common > Version: 1.4.4-1 > Severity: normal > > When having merged captures from two machines the "remove duplicates" option > in > editcap doesn't work, because the identical packets have a different header > field "packet type" with values "Sent by us" (4) vs. "unicast to us" (0), and > so the MD5 is different and both are kept. > > Furthermore, in case there's a router inbetween, the MAC addresses would be > different, too; so it might make sense to define some point from which the MD5 > gets derived. > > Per default the MD5 should be derived from the Link-Layer, but optionally only > the IP, TCP, or perhaps even more restricted data areas might be chosen. (So > perhaps this could be an "expression" what fields to use in the MD5, eg. > "http.host,http.request.uri" to keep only all different URLs being used) > > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
