Hi Abhik, Mate seems like the solution I am looking for. I cannot find the dialog where I configure the <protocol>.mate file. As per the Mate's "Getting Started" page there should be a "(Edit->)* Preferences->mate" dialog. However, I do not see such an option with wireshark 1.2.8.
Things I have already tried: 1. Maybe this option has been moved to another location on the UI, but I've spent 30 min. of searching on the UI. 2. Grep'ed the gtk directory for "mate" to see if I can trace the dialogs. 3. I ensured that I checked "Mate" during the install, and it is listed in "About->Plugin" as well. 1. Can someone help me configure wieshark to use the sample tcp.mate as listed on the "Getting stated" page? 2. Is there a default directory which is used to source *.mate files? thanks, Rohit Date: Sat, 5 Jun 2010 21:19:40 +0400 From: [email protected] To: [email protected] Subject: Re: [Wireshark-dev] Generation of display filter based on a field in the pcap Hi Rohit, I think what you are looking for is MATE (http://wiki.wireshark.org/Mate). HTH Abhik On Sat, Jun 5, 2010 at 8:55 PM, Rohit Mediratta <[email protected]> wrote: The relation between packets is as follows. 1. Packet A is a request to setup a session. This packet has a unique "request tunnel Identifier" and a "requestIndex". 2. Packet B is a reply, this packet is tunneled with the "request tunnel Identifier" and contains a "reply tunnel Identifier" 3. Packet C is subsequent request packet which is tunneled with "reply tunnel Identifier" 4. Packet D is a subsequent reply packet which is tunneled with "request tunnel Identifier". NOTE: "tunnel Identifier" are unique in a single direction only, so there is no algorithmic correlation between the "request tunnel Identifier" and "reply tunnel Identifier". I am looking to generate a view for all packets which are related to the "requestIndex". I am open to the idea of editing the dissectors to achieve this. Any ideas/pointers would be very useful. thanks, Rohit > Date: Sat, 5 Jun 2010 12:25:55 +0200 > From: [email protected] > To: [email protected] > Subject: Re: [Wireshark-dev] Generation of display filter based on a field in > the pcap > > On 06/05/2010 11:37 AM, Rohit Mediratta wrote: > > Hi, > > I am trying to generate a display filter which is based on the the value > > of a TLV within the pcap. > > Let me provide an example of a display filter I am trying to generate in > > the pcap that I have. > > > > 1. Packet A has a TLV with value1 and another TLV with value2. > > 2. Packet B has a TLV with value2 and a TLV with value3. > > 3. Packet C has a TLV with value3. > > 4. Packet D has a TLV with value2. > > > > I'd like my display filter to be > > "special_display_filter == value1" > > When I apply this filter, I'd like all 4 packets to be displayed. > > > > This is, ofcourse, my view of how I can achieve this. If there is > > another methodology to achieve my aim of displaying all packets related > > to Packet A, then please enlighten me. > > > > > > My final goal is to update the flow_graph to view all 4 packets, when I > > select "packet flow for any packets related to Packet A". If someone can > > provide any pointers/hints that would be useful. > > > > thanks in advance, > > Rohit > > > > Hi, > > What's the relation between packet A, B, C and D? How do you identify this > relation from the packets? Your display filter now will only match packet A. > > Thanks, > Jaap > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
