> On Sun, Mar 30, 2003 at 12:32:10PM -0600, emre wrote: > > The Forget button appends the negation of the current filter to the > > previous filter, > > processes the filter, and Closes the TCP stream window. > > > > This enables a relatively painless exhaustive examination of multiple > > TCP stream content. > > So how would this button be used?
The story is.. I have a weeks worth of tcpdumps for a network with a
host that was compromised by an attacker. I used tcpdump to isolate
the specific host and each foreign ip. Now I examine all the flows
interactively. I bring up 'ethereal' for each file.
I see TCP activity, I view the flow (Follow TCP stream), make my notes, then I want to look at the next flow. So by using the 'forget' button, which 'appends the negation of the current filter to the previous filter', I see everything I haven't 'forgotten' yet, in the main packet header window. Repeating this procedure for each remaining TCP flow, I can know that I haven't missed any. Before I added this button, I had to try to note packet numbers, etc, and with multiple simultanious flows between the ip-pairs, I often wasted time bring up the same flow, and I was never quite sure I hadn't missed looking at some flows.
e.
> > _______________________________________________ > Ethereal-dev mailing list > [EMAIL PROTECTED] > http://www.ethereal.com/mailman/listinfo/ethereal-dev >
